The Cybersecurity Maturity Model Certification (CMMC) is a framework that offers guidelines for the establishment of security practices and safeguards. It was designed in the U.S. Department of Defense (DoD) in response to the increasing number of cyberattacks targeting contractors working for the government. The CMMC model was designed to assist organizations in assessing their current cybersecurity security posture and determine gaps that require to be addressed.
The Purpose of CMMC
The main objective for CMMC conformity is to secure Controlled Unclassified Information (CUI) from disclosure or access by unauthorized persons. CUI is any type of information that is considered sensitive by the government but is not subject to an official classification for national security. Some examples that fall under CUI include information on military personnel or weapons systems as well as critical infrastructure.
CMMC Levels
Organizations who wish to do deal with DoD need to obtain an CMMC certification. The degree of certification needed is determined by the nature and degree of sensitivity of the CUI that is to be accessed or handled by the business. There are five levels of CMMC certification, ranging from Level 1 (basic cyber hygiene) to Level 5 (advanced/progressive).
1. Level I is an first level and covers the basic cyber hygiene guidelines. Companies must follow these guidelines to ensure compliance to the CMMC.
Level 2 includes the need for security controls, as well as incident response.
Level 3 expands on the previous two levels, and adds additional requirements for personal security physical security, system security.
Level 4 introduces the requirements for risk management in supply chain and resilience of information systems.
The Level 5 certification is the most prestigious degree of CMMC certification. It covers all the requirements of the lower levels, as in additional requirements for security of data and systems.
CMMC Process
It is the CMMC Framework is built on the existing cybersecurity standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework as well as the International Organization for Standardization (ISO) 27001. It also integrates the best practices of other industries, like that of Capability Maturity Model Integration (CMMI).
The CMMC certification process is overseen through the Defense Counterintelligence and Security Agency (DCSA). Certification organizations accredited with the DCSA will evaluate an organization’s compliance with CMMC specifications.
To be CMMC certified the organizations need to first take a self-assessment and determine their current cybersecurity position. Then, they must make a plan and implement it to fix any weaknesses in their security procedures. Then, they have to be evaluated by an accredited CMMC auditor.
It is a valid certification. CMMC certificate is good for three years after which the company will need to undergo an audit in order to keep their certification.
The CMMC framework is designed to change in time and new requirements are added when the threat landscape changes. The aim is to make sure that government contractors are equipped with the appropriate security controls to safeguard CUI from unauthorised access or disclosure.