There has been a lot of discussion around the cybersecurity interwebs lately about something called CMMC. CMMC stands for Cybersecurity Maturity Model Certification, which sounds super fancy and important, but what does it really mean?
The Cybersecurity Maturity Model Certification (henceforth referred to as CMMC for brevity) was designed by the Department of Defense in an attempt to recognize the importance of cybersecurity controls in all partner, contractor, and subcontractors that deal with the DoD. As many of you are aware, the NIST 800 series of controls have been around for a while and have been guidance for a strong security program. What the DoD had discovered was that because there was no certification for the controls, many companies were performing self-assessments without understanding the controls and how to keep data safe and secure. Going forward, the DoD is going to require a level of CMMC certification in their contracts to ensure compliance.
This is not the first time the government has worked to set up standards. In addition to NIST guidelines, specifically NIST 800-171 and NIST 800-53, back in 2016 the government also put out DFARS, or the Defense Federal Acquisition Regulation Supplement. The primary goal of DFARS was protecting Controlled Unclassified Information, or CUI. It stressed protecting the data flowing through and stored in the contracted business, and how breaches are responded to. It too was largely based on NIST 800-171, and could be completed through a self-assessment process, although they did recommend outside assistance.
Now comes along CMMC. The CMMC builds upon the NIST 800-171 base with some DFARS guidance, some ISO 27000 series controls, and even some FISMA information. There are two big differences between CMMC and all that have come before it:
The graph below shows the different domains in the CMMC, and how many controls are in each domain at each level. If you are familiar with ISO 27XXX, DFARS, or NIST 800-171 or 53, you will recognize these domains very easily:
As you can see, there are many areas that if you are dealing with the DoD or affiliates in any way, you should already be looking into. So, what should your next steps be?
The bottom line is that the CMMC framework is an excellent set of cybersecurity controls. If you have been going through the NIST and DFARS assessments already, there should not be any heavy lifting to get to CMMC maturity level 3. If you have not been working on these in the past, now is the time to review the controls because the biggest change is that instead of taking your word for it via self-assessments, you will now be required to have a third-party assessment attest to your compliance, much like PCI and ISO. Contact us today to learn more about CMMC and discuss your unique situation!