What is CMMC?
The Cybersecurity Maturity Model Certification is a standard that was created to protect and secure the Department of Defense (DoD) supply chain. Every DoD subcontractor, no matter the level of involvement, will need to obtain a certification to continue working with the DoD. The primary goal of CMMC is to protect Controlled Unclassified Information (CUI) which is defined as unclassified information requiring protection as identified in a law, regulation or government wide policy. In other words, if it is information that can be exploited to harm the DoD, it is classified as CUI.
The CMMC model uses the basic safeguarding requirements for CUI as the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI as specified in NIST 800-171 / DFARS.
Katie Arrington, the Chief Information Security Officer, Office of the Under Secretary of Defense for Acquisition and Sustainment, gives an excellent overview of CMMC Compliance in the following video.
What will be required of DoD Subcontractors?
The CMMC measures cybersecurity maturity according to five levels. Each level aligns a set of processes and practices with the type and sensitivity of the information that needs to be protected and the associated risks. A brief overview of the five levels is included below.
The CMMC model consists of 17 domains or control families. The “Practices and Processes” mentioned in the levels graphic above refer to numerous controls in the following domains. The majority of these domains originate from the security-related areas in the Federal Information Processing Standards (FIPS) Publication 200  and the related security requirements families from NIST SP 800-171 . A brief overview can be found in the table below. Click each domain to expand and show capability information.
Access Control (AC)
- Establish system access requirements
- Control internal system access
- Control remote system access
- Limit data access to authorized users and processes
Asset Management (AM)
- Identify and document assets
Audit and Accountability (AU)
- Define audit requirements
- Perform auditing
- Identify and protect audit information
- Review and manage audit logs
Awareness and Training (AT)
- Conduct security awareness activities
- Conduct training
Configuration Management (CM)
- Establish configuration baselines
- Perform configuration and change management
Identification and Authentication (IA)
- Grant access to authenticated entities
Incident Response (IR)
- Plan incident response
- Detect and report events
- Develop and implement a response to a declared incident
- Perform post incident reviews
- Test incident response
- Manage maintenance
Media Protection (MP)
- Identify and mark media
- Protect and control media
- Sanitize media
- Protect media during transport
Personnel Security (PS)
- Screen personnel
- Protect CUI during personnel actions
Physical Protection (PE)
- Limit physical access
- Manage back-ups
Risk Management (RM)
- Identify and evaluate risk
- Manage risk
Security Assessment (CA)
- Develop and manage a system security plan
- Define and manage controls
- Perform code reviews
Situational Awareness (SA)
- Implement threat monitoring
Systems and Communications Protection (SC)
- Define security requirements for systems and communications
- Control communications at system boundaries
System and Information Integrity (SI)
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protections
You probably have a lot of questions about when this is all happening. We have summarized the 2020 CMMC timeline below to help you better understand when CMMC will go into effect, when a certification will be required, etc. After the auditors are trained in Q3 of 2020, the DoD will begin what they call “pathfinder” contracts. These initial “test audits” will help the DoD determine if there are changes that need to be made to the CMMC requirements before formal audits begin for DoD subcontractors.
DOD Contractors must obtain CMMC by May 2023
The DOD has recently announced their plan to have the CMMC rule in place by May 2023 and CMMC requirements into DOD contracts by July 2023. This means that any customers who handle, transmit, process or store CUI will need to have passed an accredited third party C3PAO assessment or risk the ability to bid on future contracts. It usually takes 6 months to reach Level 3 certification. 360IT Partners has a proven roadmap to help your business achieve and maintain CMMC. Contact us today for a free consultation.
The 2020 CMMC Roadmap
- Establishment of Accreditation Body
- Completion and release of v1.0
- Establishment of Marketplace
- Initial RFIs (Request for Information)
- Potential CMMC update
- Initiation of CMMC 101 training for level 1–3
- Test audits
- Initiation of CMMC 101 training for level 4–5
- Initial RFPs (Request for Proposal)
How does one achieve CMMC Compliance?
360IT Partners has extensive experience with helping companies align their processes and cybersecurity practices with the NIST 800-171 standard. Our Governance, Risk and Compliance solution offering (GRC Shield) includes a 3 phased approach which is highlighted below. Click each phase below for further details.
Phase 1 - Audit & Planning
We’ll conduct a comprehensive analysis of your existing IT infrastructure, identify the necessary steps to reach your compliance goals, and create a detailed roadmap and strategic implementation plan
Phase 2 - Implementation
Our Comprehensive Governance, Risk and Compliance solution (GRC Shield) includes Security Information & Event Management (SIEM), vulnerability scanning, server/laptop encryption, multifactor authentication (MFA), and security awareness training for employees to minimize both technical and human errors.
Your dedicated engineer and Project Manager will keep you updated about the progress through detailed, easy-to-understand calls, including a kick-off call, routine status update calls, and a final wrap-up call after a successful project completion.
Phase 3 - Ongoing support
Over 25 years of experience in the industry has taught us that IT and compliance are never a “set it and forget it” thing. That’s why we offer IT Department as a Service, where we continue to monitor, manage, and support your CMMC solution as you grow toward success.
The Proof is in the Process
360IT Partners has helped many local companies in the area achieve DFARS Compliance and prepare for CMMC Compliance. See what Kitco Fiber Optics had to say about their experience with our GRC Shield solution!
Ensure you meet CMMC requirements and stay ahead of the competition with 360IT PARTNERS’s compliance services
Simply fill in the form and we’ll get back to you as soon as possible