Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
In 2020 we all faced unexpected delays in business because of a global pandemic, but one area we cannot backslide is cybersecurity. The federal government has already committed and assured contractors that Cybersecurity Maturity Model Certification (CMMC) will continue to be rolled out on schedule and without delay. The first official revision of the CMMC was released on January 31, 2020.
*****Latest updates*****
On October 15th, 2024, the Federal Government released the final CMMC version and can be found here: Federal Register :: Cybersecurity Maturity Model Certification (CMMC) Program
What is on this page:
What is Cybersecurity Maturity Model Certification (CMMC)?
CMMC is a necessary evaluation and 3rd party issued certification for Defense Industrial Base (DIB) affiliated businesses that determines by your cybersecurity posture. The federal government has deemed cybersecurity a critical component of contracting, bid award criteria, and will be a requirement for defense contracting going forward. Giga-Green Technologies has been closely aligned with the NIST 800 series since our inception in 2016 and have been actively working with DoD contractors since 2020 to secure physical and cloud environments to NIST 800-171 standards.
CMMC consists of three progressively secure levels of certification built around 14 different domains of cybersecurity and organizational health. We’ve listed the 14 evaluation criteria and brief descriptions below. These knowledge domains were developed from NIST 800-171 standards and have been assigned minimum levels of compliance to achieve a CMMC certification. Currently, a CMMC certification is valid for 3 years and then the organization will need to be reassessed.
A brief of the final CMMC ruling can be found here: Cybersecurity Maturity Model Certification Program Overview
CMMC Level 1 – Federal Contracting Information (FCI) will need to be safeguarded with 15 documented practices and controls
CMMC Level 2 – Controlled Unclassified Information (CUI) will need to be safeguarded with 110 documented practices and controls (NIST 800-171)
CMMC Level 3 – Sensitive/Critical contracting – 24 added controls for a total of 134 controls (NIST 800-172)
How to prepare for a CMMC evaluation
The first question we are asked is “Where do we start?” Our process is the same used and recommended by the NIST 800-Series documentation. A high level overview of the required steps and their respective NIST publications are outlined below:
Why Giga-Green:
Too much? Many of our customers have and would say this looks daunting… and we are only at the start. CMMC compliance has elements that cover the entirety of an organization, not only your technology components. Leadership buy-in is absolutely necessary and employee participation is needed to ensure a successful CMMC implementation.
Start your journey to a digitally fortified future with Giga-Green. Your unique path deserves exceptional cybersecurity, and we specialize in crafting tailored solutions just for you. Envision a partnership where your digital resilience takes center stage, guarded by our commitment to surpassing cybersecurity standards. Trust Giga-Green to as your reliable partner for a secure and resilient digital future.
Want to know more about each of these steps and what each include? Take a look at how to identify FCI/CUI, scope and categorize assets, assess your systems, and build documentation by visiting our detailed CMMC preparation page located here:
NIST 800-171/CMMC Assessment Domains:
The assessment domains between NIST 800-171 and CMMC will remain unchanged and are applied across all in-scope systems. The 14 domains include:
- Access Controls (AC) – Limiting user access to information systems
- Audit & Accountability (AU) – Ability to track user actions to the individual
- Awareness and Training (AT) – Measures taken to educate your workforce
- Configuration Management (CM) – Appropriate configuration, limitation, and use of documented systems
- ID & Authentication – (IA) – Identifying end users correctly and their ability to access systems (multifactor authentication at CMMC 2.0 Level 2)
- Incident Response (IR) – Cybersecurity breach and organizational disaster recovery and business continuity planning
- Maintenance (MA) – Performance of regular maintenance and software updates
- Media Protection (MA) – Proper disposal, transfer, and housing of FCI and CUI data
- Personnel Security (PS) – Screening and authorizing users before accessing data, prevention of data loss through employees
- Physical Protection (PE) – Limiting physical access to resources and monitoring building activity
- Risk Management (RM) – Identifying and mitigating environmental vulnerabilities
- Security Assessment (CA) – Develop, document, and continually improving security postures
- Systems and Communications Protections (SC) – Defining and controlling environment security boundaries, and monitoring for appropriate usage
- System and Information Integrity (SI) – System updates, identifying malicious content, employing monitoring systems to maintain integrity, protecting e-mail communications
CMMC Self-Assessments
Not sure where to start? Take one of our CMMC Self-Assessments below to better understand your current cybersecurity posture.
You will be redirected to a Microsoft Form after entering your email.
CMMC Level 1 Self-Assessment
CMMC Level 2 Self-Assessment
Talk to an Expert
Do you have questions or curious about the different solutions and services Giga Green provides?
Our Address:
Tucson/Phoenix, Arizona, USA Minneapolis/St. Paul, Minnesota, USA Fargo, North Dakota, USA
Our Mailbox:
info@giga-green.com
Our Phone:
(701) 630-7188
CMMC Resources:
Cybersecurity Maturity Model Certification Program Final Rule Published > U.S. Department of Defense > Release – Notification of final ruling
DoD Mandatory Controlled Unclassified Information (CUI) Training – Free CUI training
Standard Form 901 (11-2018) cover sheet – CUI Coversheet
DoDI 1035.01, “Telework and Remote Work,” January 8, 2024 – DoD CUI telework policy
CMMC Resources & Documentation – CMMC Assessment and Scoping Guides