What is CMMC and the Impact on Dayton Area Contractors?
The Department of Defense issued a new regulatory standard called the Cybersecurity Maturity Model Certification (CMMC). CMMC took the cybersecurity controls currently in place, such as NIST 800-171, ISO 27001, ISO 27032 to name a few, and enhanced these standards in the form of five maturity level certifications. Each level consists of a set of processes and practices that are intended to verify that DoD contractors have the necessary controls in place to protect sensitive data including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). However, these new standards are also intended to lessen the burden on the small and mid-size businesses, requiring them to meet certain levels based on what the contractor or vendor needs to perform under their contracts. Along with being used for self-examination, CMMC will also require a third-party assessment from a certified auditor every three years.
The CMMC levels and descriptions are cumulative, meaning to move from one level to the next level requires demonstrated achievement of the preceding level on both the processes and the practices.
With each level, the focus takes many considerations into account including the sensitivity of information, level of threats, costs, implementation complexity, and other factors. So as the maturity level increases so do the regulations.
The model consists of 17 domains as follows:
Access Control (AC); Asset Management (AM); Audit & Accountability (AU); Awareness & Training (AT); Configuration Management (CM); Identification & Authentication (IA); Incident Response (IR); Maintenance (MA); Media Protection (MP); Personnel Security (PS); Physical Protection (PE); Recovery (RE); Risk Management (RM); Security Assessment (CA); Situational Awareness (SA); System & Communications Protection (SC); and System & Information Integrity (SI).
The goal of CMMC is to protect from theft of sensitive information due to malicious cyber activity that threatens our national security. All Dayton area organizations performing work for the Department of Defense will be required as outlined in the information above to perform and meet the level of certification requirements deemed necessary based on the work performed. Outsourcing to a Registered Practitioner (Certified CMMC Consultant) will save you time and money as they guide you through the process. First a GAP Analysis is completed to determine where you are and where you need to be. From this review, a plan is drawn up to assist you in meeting the cybersecurity requirements. To verify you have implemented the necessary controls to meet the requirements of CMMC audit, your consultant will have documentation for you to maintain. In addition, ongoing monitoring is recommended with your consultant as you will re-certify every three years.
- Information from Cybersecurity Maturity Model Certification (CMMC) version 1.02 dated March 18, 2020