What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.

The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

Why CMMC?

Beginning September 2020, DoD will have mandatory CMMC compliance requirements in its acquisition of goods and services. Companies that lack a current CMMC certification will be unable to bid on or participate in a DoD contract. This makes CMMC a “must have” business imperative versus a “nice to have” certification for marketing purposes.

In addition to the loss of potential business, non-compliance with NIST 800-171 and CMMC can lead to serious legal consequences to both individuals and the company through False Claims Act (FCA) violations.

CMMC Levels

Practices

Level 5

Advanced/Progressive

Level 4

Proactive

Level 3

Good Cyber Hygiene

Level 2

Intermediate Cyber Hygiene

Level 1

Basic Cyber Hygiene

Processes

Level 5

Optimized

Level 4

Reviewed

Level 3

Managed

Level 2

Documented

Level 1

Performed

CMMC Domains

Level 1

Basic Cyber Hygiene

At this level, you must establish a foundation for the higher levels of the model and must be completed by all certified organizations.

Total Controls = 17
  • System Access
  • Grant access to authenticated entities
  • Limit physical access
  • Identify and manage information system flaws
  • Limit data access to authorized users and processes
  • Sanitize media
  • Control communications at system boundary
  • Identify malicious content

Level 2

Intermediate Cyber Hygiene

At this level, you must demonstrate documented processes for each control. This is done with policies, operating procedures, and plans to guide the cybersecurity program.

Total Controls = 72
  • Least privilege
  • Awareness and training
  • Control data flows
  • Background checks
  • System hardening and configuration management
  • Incident handling
  • Vulnerability scanning
  • Audit logging
  • Multi-factor authentication
  • Intrusion detection
  • Backups
  • Password Strength
  • Risk Assessment
  • Encryption

Level 3

Good Cyber Hygiene

At this level, you must demonstrate managed processes for each control with adequate resources meet plans and that you review adherence to policies and procedures.

Total Controls = 131
  • Separation of duties
  • Control mobile devices
  • Encryption (FIPS validated)
  • Label data
  • Centralized audit log management
  • Software blacklisting/whitelisting
  • Multi-factor authentication
  • Off-site, off-line backups
  • Continuous monitoring of effectiveness
  • Code reviews
  • Design security into new systems
  • Email protection

Level 4

Proactive Cyber Hygiene

At this level, you must demonstrate reviewed processes for each control that includes a process to review and measure activities for effectiveness, review the status with high-level management and resolve issues.

Total Controls = 157
  • Situational awareness
  • Threat intelligence
  • Automated discovery
  • Automated analysis/alerting
  • Phishing exercises
  • Software whitelisting
  • Security Operations Center (SOC)
  • Continuous improvement
  • Penetration testing
  • Threat hunting
  • URL filtering
  • Advanced malware detection

Level 5

Progressive Cyber Hygiene

At this level, you must demonstrate optimized processes for each control such that you standardize the approach across the organization and share improvements.

Total Controls = 173
  • Code signing
  • 24×7 response
  • Redundancy
  • Tailored boundary protections
  • Automated real-time response
  • Unannounced exercises
  • Packet capture
  • Behavioral analysis

Why Us?

  • We are intimately familiar with all requirements of the CMMC certification program. This includes:
    • Processes of the actual certification
    • Real-world knowledge of the requirements
  • We specialize in Gap Analysis and creating actionable roadmap to help our clients achieve the certification in a timely and cost-effective manner.
    • From the group up
    • Maturing from level to level
    • Utilizing information from one certification program/level to fit another program/level
  • Centralized dashboard to manage your CMMC certification