Cybersecurity Maturity Model Certification (CMMC)
for Department of Defense (DOD)
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.
For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
Two of Orlando’s most prominent cyber security companies have joined forces to provide a turnkey, CMMC solution.
Since 2016, RB Advisory have been specialists in assessing and reducing cyber-risks. They are the leading provider for security compliance and cyber risk management. We believe in order to create an effective governance, compliance and security culture there needs to be an understanding of each aspect of the phenomena in enterprise risk management and governance with insight and commitment at every level of an organization.
RB Advisory have been servicing DoD contractors in meeting their cyber compliance with their prime contractors and the DoD. Masters at helping their clients understand their current cybersecurity posture, as well as setting roadmaps to complete and maintain the Plan of Action and Milestones (POAM).
Diriga Technologies specialize in incident response plans, and managed IT services with a focus on Cybersecurity. Diriga takes a holistic, multilayer approach to security protecting companies at all layers from the gateway to the endpoint. Diriga’s cutting-edge IT solutions center around doing more with less, allowing your company to leverage innovation rather than simply “throwing money at the problem.” Through a pioneering philosophy of “business technology in a box”, Diriga allows you to customize a comprehensive IT solution to meet your needs.
Between the two companies, we are able to provide a full CMMC solution. From the initial audit, Plan of Action and Milestones, and coordinating with the 3 Party assessor, We’ve got you covered!
The CMMC effort builds upon existing regulation, that is based on trust by adding a verification component with respect to cybersecurity requirements.
Specific Existing Regulations:
- 48 Code of Federal Regulations (CFR) 52.204-21
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
- NIST SP 800-171 rev 1
- NIST SP 800-171B (Draft)
- United Kingdom’s Cyber Essentials
- Australia’s Essential Eight [4,11,12,47]
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- The intent is for certified independent 3rd party organizations to conduct audits and inform risk.
When will the final CMMC framework be released to the public?
CMMC Framework Version 1.0 has been released January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information. During this time, auditors will be assessing contractors. Come October / November 2020, CMMC will start requesting for proposals.
Why is the CMMC being created?
The Center for Strategic and International Studies estimates that the cost of cybercrime worldwide is approximately $600 Billion. The majority of this IP theft is directly attributable to poor cybersecurity maturity and ineffective implementation of controls necessary to protect sensitive data.
The Sharing of FCI and CUI with DIB sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary. Cybersecurity must become a foundation of DoD acquisition.
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
Whats involved with CMMC Certification?
The certification will measure the DIB sector company’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
It is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
How will my organization become certified?
Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment.
Your company will specify the level of the certification requested based on your company’s specific business requirements.
Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
The CMMC model framework categorizes cybersecurity best practices at the highest level by domains. Each domain is further segmented by a set of capabilities. Capabilities are achievements to ensure cybersecurity objectives are met within each domain. Companies will further demonstrate compliance with the required capabilities by demonstrating adherence to practices and processes, which have been mapped across the five maturity levels of CMMC. Under this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, and processes will measure the maturity of a company’s processes. Within each domain, DIB companies will be accredited under the CMMC only if they can demonstrate compliance with the required practices and demonstrate mature processes as required for the given CMMC Level.
The CMMC model has five defined levels, each with a set of supporting practices and processes, illustrated to the right.
Practices range from Level 1 (basic cyber hygiene) and to proactive and advanced Levels 4 and 5. In parallel, processes range from being performed at Level 1, to being documented at Level 2, to being optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.
Any organization that handles CUI will be a Level 3 – follows the NIST SP 800-171v1. All Sensitive programs will require Level 4/5. Level 4/5 will be a lot more expensive than the others.
The CMMC model consists of 17 domains. The majority of these CMMC domains originated from the FIPS 200 security-related areas and the NIST SP 800-171 control families. The CMMC model also includes the Asset Management, Recovery, and Situational Awareness domains. These domains are shown in Figure 3 with their abbreviations as used in the model practice numbering system.