CMMC
CMMC Compliance Services
Overview of CMMC
CMMC is the new Cybersecurity certification that is taking the Department of Defense (DoD) Supply Chain by storm. The new mandate requires all Federal contractors, prime and subcontractors, to be validated by a CMMC Accreditation Body (AB) approved Certified Third-Party Assessment Organization (C3PAO). The days of being “self-certified” to NIST 800-171 standards are a thing of the past, now the 300,000+ organizations registered to bid on RFP’s for the DoD must become CMMC compliant.
There are 5 levels of CMMC certification, the scope of work your organization normally develops proposals for determines the level of compliance you need. A full CMMC compliance maturity and certification process can take from 6-12 months depending on the level of certification and the current state of the organization’s cyber security compliance if done alone.
CMMC-AB RP
CMMC-AB RPO
CMMC-AB Approved
The DoD Is Not “BLUFfing”…..
…So Here’s The Bottom Line Up Front
With Government agencies and top enterprises spending the necessary funds on their cybersecurity programs and employee training, hackers have shifted their focus to Small and Medium businesses that have less stringent network security as their prime targets.
The Department of Defense (DoD) has issued the Cybersecurity Maturity Model Certification (CMMC) as an effort to mandate more mature cybersecurity practices, and to apply mandatory assessments to ensure companies have successfully implemented requirements.
CMMC builds upon DFARS and has five levels of maturity from Basic to Advanced Cyber Hygiene. CMMC certification is the future for the DoD supply chain and will be a requirement in future Request for Proposals (RFPs) for organizations that wish to conduct business with the DoD.
Tell Me More About Levels 1-5
Now that we know that the DoD is mandating CMMC and there are 5 Levels, lets dig in! CMMC incorporates pre-existing requirements such as NIST SP 800-171. 48 CFR 52.204-21, DFARS clause 252.204-7012, and various other requirements into a single set of unified best practices for cybersecurity. These requirements are laid out across 17 different domains, range from certification levels of 1-5, and total 171 cybersecurity best practices.
The necessary level of certification depends on the degree of requirements for the contracts your organization seeks. For example Level 1 is more about being able to show that your organization can perform specified practices and may not rely on documentation, as process maturity is not assessed for Level 1. However, higher levels require that proper processes and procedures are in place. Levels 4-5 take it a step further and require that your organization can protect your Controlled Unclassified Information (CUI) from Advanced Persistent Threats (APTs).
Now That I Understand The 5 Levels…
Tell Me More About The 17 Domain Controls.
As mentioned previously there are 5 different levels of CMMC. from Basic to Advanced Cyber Hygiene, but many people ask questions surrounding the 17 different Capability Domains. What are they? How do I satisfy each area? Do I really have to go through every domain and requirement for certification?
Each domain has separate requirements that must be met before you can achieve compliance for your desired level of certification. It is important to note that not every company that approaches your company offers a solution that meets the full intent of all seventeen controls… spoiler alert: we do! Their approach forces you to manage multiple different vendors to piecemeal a solution to meet CMMC compliance.
Here is a look at the seventeen required controls that we satisfy for our customers:
The 17 Domain Controls
01.
Access Control (AC)
02.
Incident Response (IR)
03.
Risk Management (RM)
04.
Asset Management (AM)
05.
Maintenance (MA)
06.
Security Assessment (CA)
07.
Awareness & Training (AT)
08.
Media Protection (MP)
09.
Situational Awareness (SA)
10.
Audit & Accountability (AU)
11.
Personnel Security (PS)
12.
System & Communications Protection (SC)
13.
Configuration Management (CM)
14.
Physical Protection (PE)
15.
System & Information Integrity (SI)
16.
Identification & Authentication (IA)
17.
Recovery (RE)
“We want companies to define their own destiny,
we want small businesses to build into maturity,
and we want them to continue to grow.”
– Katie Arrington, Chief Information Security Officer
to the Assistant Secretary of Defense for Acquisition
Ready To Begin the Process for CMMC Compliance
CMMC Implementation Steps For Certification
Now that we have covered the 5 CMMC Levels and the 17 Domain areas, let’s take a look at the steps your organization will have to take to become compliant:
Where Does Your CMMC Compliance Stand Today?
Our initial discussions with customers have shown that most organizations are unsure where their compliance stands today. The chart below shows where customers’ compliance stands on average from Initial Scan through the first 60 days of our 90 day onboarding period.
Cybersecurity Maturity Model Certification (CMMC)
Security Equipment
Our Cyber Threat Compliance (CTC) platform brings all the compliant security equipment and tools to the fight that your organization needs. We fold all the security tools into one proprietary, patented device without charging you the heavy upfront costs of implementing new technology.
Personal Onboarding
Our Client Onboarding Coordinator will be with your team throughout the entire process. We want CMMC implementation to remain easy and transparent for your organization, so we ensure that our team stands by your side for each milestone between your team and compliance.
Policies/Procedures
It is easy to become overwhelmed when it comes to developing Policies and Procedures that satisfy cybersecurity regulations within your industry. Our team of experts develop a package of required policies and procedures that fit the way your organization does business.
24/7 SOC & Help Desk
At CSS we offer flexible Security Operations Center (SOC) and Help Desk options for our partners. Our team of expert Security Analyst and Help Desk Technicians ensure that your business stays connected and that your network is monitored for potential threats in the outside world.
CMMC Training
You're only as strong as your weakest link, so we ensure your staff is geared to withstand cyber threats. Our team offers Security Awareness Training (CMMC AT.2.056), Role-Based Security Training (CMMC AT.0.057), Insider Threat Training (CMMC AT.3.058), Policy & Procedure Training, Phishing Campaigns & more.
Customer Portal
Our approach to CMMC is simple, we ensure that your organization has access to your data within a compliant environment regardless where your business travels may take you. Our Customer Portal includes: Secure Email, Secure Vault, Remote Workforce, Ticketing System, and a live Compliance Dashboard.
CMMC Dashboard
Our Dashboard shows your organization's CMMC compliance percentage for each of the 17 domain areas as well as your overall score. Our Dashboard provides executive reporting, project management, and engineering task management to keep compliance up-to-date within budget.
FEDRAMP Cloud
The secure cloud environment provides a compliant, scalable, and secure infrastructure capability enabling and supporting platforms or software required for your business or mission success. Our Customer Portal lives in this secure and compliant environment to ensure your data is protected.
Personalized Customer Portal
Our Customer Portal was developed in-house with mobile security and compliance in mind. Our goal was to provide a means for your organization to have security and compliance no matter where your business travels may take your team.
Frequently Asked Questions
When will the Department of Defense (DoD) begin rolling out CMMC requirements in all contracts?
The DoD has stated that a subset of contracts will initially be chosen for application of the CMMC requirement.
The DoD has also indicated that they intend to introduce CMMC requirements into solicitations on a gradual basis starting in September 2020. The guidance that the DoD has provided to the industry is that in 2026 all contracts will have a CMMC Level 1-5 requirement.
What data is considered Controlled Unclassified Information (CUI)?
Per the Office of the Under Secretary of Defense for Acquisition & Sustainment:
"CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects."
The CUI Registry can be found at: https://www.archives.gov/cui and https://www.dodcui.mil/Home/DoD-CUI-Registry/ index groupings:
What does my organization need to do in order to become compliant?
The work starts by either conducting or outsourcing a recent assessment to understand where your organization stands today. For organizations that are not comfortable conducting assessments and mitigating technical/security issues for compliance, you can outsource the process to a Registered Provider Organization (RPO) like CSS.
Once all non-compliant issues have been mitigated Defense Industrial Base (DIB) companies will select one of the Authorized or Accredited Certified Third Party Assessment Organizations (C3PAOs) from the CMMC-AB Marketplace website. The DIB company and the selected C3PAO will coordinate and plan the CMMC assessment as well as complete appropriate contractual agreements.
After the completion of the CMMC assessment, the C3PAO will provide an assessment report and if there are no deficiencies, issue the appropriate CMMC certificate to the DIB company for the specified certification boundary. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.
It is important to note that CSS offers a full turn-key compliance package for Levels 1-5, and has partnered with several C3PAO organizations to remove the headaches and fear from CMMC implementation.
What is the difference between the newly mandated CMMC and NIST SP 800-171?
Unlike NIST SP 800-171, the CMMC model possesses five levels and no longer allows for self attestation. Each CMMC Level consists of practices and processes as well as those specified in the subsequent levels. The CMMC Model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171. CMMC is a maturity model certification that requires continued growth and adaptation to a more secure environment that protects the nation's data from our adversaries.
Resources
Get Your Free Consultation Today!
Ensure your company and all of your employees are in compliance and safe from vulnerabilities.
