What is CMMC?
CMMC, or the Cybersecurity Maturity Model Certification, is an assessment model that the United States' Department of Defense (DoD) has created to protect Controlled Unclassified Information (CUI) across the DoD supply chain.
Representing a unified security standard, CMMC builds on security controls from NIST SP 800-171 under DFARS. This assessment model consists of critical security standards and controls to evaluate and measure an organization's potential for security risk, and scores the CMMC security level they fall into.
Everything You Need to Know About CMMC
Cybersecurity Maturity Model Certification: assessments, compliance, CMMC levels — what they mean & what level your business needs.
What Does CMMC Mean for DoD Contractors?
Any vendors or contractors working in any part of the DoD supply chain will be required to obtain CMMC compliance in order to continue working with the DoD. Not all contractors will require the same level of cybersecurity maturity. Certification requirements are relative to the suppliers level in the DoD supply chain with higher levels of cybersecurity risk management required with the more CUI, or Controlled Unclassified Information, that is present.
CMMC Levels — How do They Work?
The Cybersecurity Maturity Model Certification uses a simplified scoring system to identify an organization's security and readiness level. Initially, CMMC 1.0 included a 5 tier scoring system, however changes brought about by the introduction of CMMC 2.0 has condensed this to 3 levels. Each CMMC tiered level builds on the last, with additional layers of advanced practices and processes required by DoD contracts. To put it simply, the higher an organization is within the DoD supply chain, the more CUI they are handling and circulating on their networks — and the more security and protection this organization will need.
How is CMMC different from NIST 800-171?
Initially, pre-CMMC model, there was the NIST 800-171, a cybersecurity standard that outlines many aspects of your company security, from psychical security to IT and cybersecurity. It was implemented by the DoD as self assessment, however the DoD found that many organization were not actually following and enforcing these regulations. CMMC is based primarily on the NIST 800-171, with some additional measures, and is more strictly enforced with third party assessments, audits and certifications.
CMMC as a Maturity Model
It's important to understand that CMMC is a "maturity" model. This means that the assessment involves a historical analysis of an organizations readiness, as well as their plans for the future.
CMMC is not an out-of-the-box solution, there is no single "CMMC solution tool". Instead, CMMC is really about people, process, policy — these are part of security tooling, and these things can take time.
What the DoD is looking for right now, is that an organization is moving in the right direction to close all risk gaps, get a plan of action in place, and on a path to completing any projects needed for full compliance.
Assessing Your Readiness
A CMMC assessment will require third parties to evaluate your current tooling and processes. An assessment will identify your current risk gaps and lead the way to a strategic plan to meet an organizations cybersecurity goals. By conducting a CMMC assessment, you will be equipped with the documents you need to present to an auditor — the SSP (System Security Plan) and the POA&M (Plan of Action & Milestones) for your organization.
Getting Certified and Compliant
At this time, organizations are able to show auditors their progress towards a required CMMC level. When completing your defense contract, you will prove what level of CMMC you are currently at, and then what you need to do to get to the desired CMMC level that is required for the contract. You will have time to reach that compliance certification before closing the contract. CMMC will be fully required by 2025, meaning you will need to be fully certified to continue business with the DoD — either a "GO" or "NO GO" situation.
Start Your Journey to CMMC with Synagex
At Synagex, we take the complexity of the CMMC process — break that all down and make it more accessible, and we focus on business and strategy to get you there. You have the ability to adapt and take a slow, strategic path, but also one that is ultimately that is going to have business impact for the best. We understand these regulations and audits can be daunting, but understand that CMMC can be an enabler, not just an expense. It can help you out in the future, and build more trust with your clients, and more trust with the DoD.