Cybersecurity Maturity Model Certification
In 2020 we’ve all faced unexpected delays in business because of a global pandemic, but one area we cannot backslide is cybersecurity. The federal government has already committed and assured contractors that Cybersecurity Maturity Model Certification (CMMC) will continue to be rolled out on schedule and without delay. The first official version of the CMMC was released here on January 31, 2020.
The Department of Defense has confirmed that by September 2020, CMMC will begin to roll out.
On this page:
What is Cybersecurity Maturity Model Certification (CMMC)?
This is a necessary cybersecurity evaluation and 3rd party issued certification of your business and its operations to determine your cybersecurity posture. The federal government has deemed cybersecurity a critical component of contracting, bid award criteria and will be a requirement for contracting going forward.
CMMC consists of 5 progressively secure levels of certification built around 17 different domains of cybersecurity and organizational health. We’ve listed the 17 evaluation criteria and brief descriptions below. These knowledge domains were developed from NIST 800-171 standards and have been assigned minimum levels of compliance to achieve a CMMC certification. Currently, a CMMC certification is anticipated to be valid for 3 years and then be reassessed. There is also no way to self-certify the requirements are met.
Why is this being done?
Directly from the Department of Defense, CMMC is intended to ‘assess and enhance the cybersecurity posture of the Defense Industrial Base.’ The federal government is interested in protecting its informational secrets through a process known as supply-chain hardening. This is the program that will ensure downstream organizations are less likely to be compromised and used to gain access to government intel.
Does this affect my business?
Organizations or subcontractors handling Controlled Unclassified Information (CUI) can anticipate a minimum level of CMMC 3 to meet future bid criteria.
If you hold any government issued contracts or are subcontractor of an issued contract, you will need to hold at least a level 1 CMMC certification by the time the roll out is completed. This is to meet the already existing Federal Acquisition Regulation (FAR) Clause 52.204-21 pertaining to safeguarding Federal Contract Information as defined here.
How to prepare for a CMMC evaluation
CMMC knowledge domains are assessed on a 1 to 5 scale called the Maturity Levels (ML). Maturity levels are progressive and require the previous levels to be obtained to reach the higher levels of maturity.
Organizations start by Performing (ML 1) proper cybersecurity techniques; organizations then need to Document (ML 2) these processes for their security boundaries. After gathering proper documentation, the organization needs to Manage (ML 3) and maintain the organization processes at those levels. Reviewing (ML 4) these documented procedures and determining their effectiveness is next to achieve ultimate goal of Optimizing (ML 5) these processes to continually improve security architectures.
CMMC Assessment Domains:
- Access Controls (AC) – Limiting user access to information systems
- Asset Management (AM) – Documentation of known equipment and approved assets
- Audit & Accountability (AU) – Ability to track user actions to the individual
- Awareness and Training (AT) – Measures taken to educate your workforce
- Configuration Management (CM) – Appropriate configuration, limitation, and use of documented systems
- ID & Authentication – (IA) – Identifying end users correctly and their ability to access systems (multifactor authentication at CMMC Level III)
- Incident Response (IR) – Cybersecurity breach and organizational disaster recovery and business continuity planning
- Maintenance (MA) – Performance of regular maintenance and software updates
- Media Protection (MA) – Proper disposal, transfer, and housing of FCI and CUI data
- Personnel Security (PS) – Screening and authorizing users before accessing data, prevention of data loss through employees
- Physical Protection (PE) – Limiting physical access to resources and monitoring building activity
- Recovery (RE) – Data backup and recovery strategies, maintaining data integrity
- Risk Management (RM) – Identifying and mitigating environmental vulnerabilities
- Security Assessment (CA) – Develop, document, and continually improving security postures
- Situation Awareness (SA) – Metric of adapting to latest security exploits and threat mitigation
- Systems and Communications Protections (SC) – Defining and controlling environment security boundaries, and monitoring for appropriate usage
- System and Information Integrity (SI) – System updates, identifying malicious content, employing monitoring systems to maintain integrity, protecting e-mail communications
Why Giga-Green Technologies?
Giga-Green was formed and built with security as a fundamental and foundational principal to our operations. We build our internal processes based off the existing NIST 800-171 standard and do on a minimal budget. We have the history of leveraging cloud solutions to rapidly and cost-effectively secure hybrid-datacenter environments. Alternatively, we’ve mobilized businesses to secure cloud-only environments that adhere to NIST standards.
We are actively following all updates regarding Certified Third-Party Assessment Organization (C3PAO) from the newly formed CMMC accreditation body. This program is still in its development stages and we are keeping-up with the ever changing standards and documentation as things are fully developed.
Like all businesses out there currently, Giga-Green can only wait until more information is released, but that doesn’t mean we can’t do our part to help you prepare for upcoming requirements. To this end, we have developed our own free assessment tool for organizations to prepare and predict their current CMMC level once certification entities have been accredited.
We have created two CMMC evaluations, a complete evaluation here and a CMMC level one evaluation here.