What is the Cybersecurity Maturity Model Certification?
Cybersecurity Maturity Model Certification (CMMC) is a safeguard to enhance the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the DoD supply chain. CUI is information that the government, or an entity on behalf of the government, creates or possesses that needs safeguarding, including export control, financial, immigration, legal, infrastructure, technical, and other data. CMMC requirements cover practices and processes associated with the level you’re pursuing across 17 capability domains and 43 capabilities.
What are the CMMC Maturity Levels?
- Level 1: Basic Cyber Hygiene / Performed
Safeguard federal contract information (FCI), requirements in FAR Clause 52.204-21.
- Level 2: Intermediate Cyber Hygiene / Documented
Document practices to protect CUI data listed in NIST 800-171 Rev2.
- Level 3: Good Cyber Hygiene / Managed
Manage practices to protect CUI data listed in NIST 800-171 Rev2.
- Level 4: Proactive Cybersecurity / Reviewed / Not Available Yet
Advanced and sophisticated cybersecurity practices listed in NIST 800-172.
- Level 5: Advanced/Progressive Cybersecurity / Optimized / Not Available Yet
Highly advanced cybersecurity practices to protect CUI and reduce the risk of advanced persistent threats (APTs).
Who needs to be CMMC compliant?
Government contractors who work for DoD, including the Army, Air Force, Marine Corps, Navy, Coast Guard, DARPA, DFAS, DIA, DISA, DLA, DTRA, MDA, NGA, NRO, and other defense agencies are required to be CMMC compliant for CUI and FCI. CMMC requirements go into effect with this Interim Rule on November 30, 2020. DoD contractors have until 2025 to obtain certification. After November 30, 2025, DoD is likely to require at least CMMC Level 1 to participate in contracts. It is advantageous to start documenting and pursuing a CMMC Level 1 or higher sooner rather than later.
How to get started with CMMC Level 1?
The good news is most government contractors already have many of these practices and processes in place, such as safeguarding policies to manage physical and technical access control, updates and patches, backups, firewalls, monitoring, and more. You can start by pulling together documentation where you already meet CMMC guidelines. ASE has a CMMC-AB Provisional Assessor on staff who consults with you to help prepare for the final assessment. Here are the steps:
- Questionnaire: We start with a questionnaire to examine all the areas required to see what you’re already doing.
- Monitoring: We load monitoring software on your network that gathers logs that show the documentation required.
- Report: We conduct a gap analysis showing updates needed to be Level 1 compliant and get on the path for Level 2-3.
- Implement: We provide you details to implement internally or can help you when you want to outsource these updates to free up your internal team to focus on its day-to-day responsibilities and ensure it gets done right and implemented quickly.
Once you’ve implemented everything, we’ll recommend a C3PAO for your final audit. Conflict of interest guidelines require government contractors to use a different company for the final audit than who they used for the initial consultation.
How to hire a C3PAO?
When seeking a CMMC maturity level certification, you’ll need to hire a certified third party assessor organization (C3PAO) to conduct a quality control audit. Here is the process:
- Documentation: The C3PAO reviews your documentation and looks at initial reports to see what you’ve created and updated.
- Monitoring: The C3PAO loads monitoring software on your network that gathers logs that show the documentation required.
You must show that you’ve been implementing these processes and practices for 6 months or more for Level 2-3.
- Verify: The C3PAO verifies if you’re in compliance for all practices and processes associated with the CMMC level you’re pursuing.
- Pass/Fail: When everything is a green light, you pass the assessment to earn your CMMC certification good for 3 years.
C3PAOs must follow all government guidelines. The CMMC-AB performs quality control on C3PAOs. There is no guarantee that you’ll pass the assessment. When compliance areas are missed, you’ll need to address these and request an audit from a different C3PAO.
ASE: Top Experts in CMMC
Our compliance officers are top experts in Cybersecurity Maturity Model Certification. We were on the team that helped develop CMMC requirements with DoD. We know what to look for and how to guide you. Our processes are straight forward and easy to understand. Our team has 30-year veterans in cybersecurity, compliance, and auditing. We’ve worked on CMMC, FISMA, ISACA, and NIST 800 standards, to name a few, and train the organizations implementing compliance.
Leighton Johnson has 35 years of experience in cybersecurity, cyberterrorism, computer security, information operations and assurance, software development, systems engineering, and communications equipment operations. He is a top Cybersecurity Maturity Model Certification expert and a CMMC-AB Provisional Assessor Level 1-3. He is formerly the CIO for Lockheed Martin’s IS&GS directorate. He has taught auditing, certification, forensics, and risk management globally and holds several certifications: CISA, CISM, CISSP, CRISC, CGEIT, CDPSE, CAP, CSX and FITSP-A.