Cybersecurity Maturity Model Certification

(CMMC)

Become Dod Compliant Today

What is the Cybersecurity Maturity Model Certification (CMMC)?

The Department of Defense (DOD) has issued a mandate for all government contractors within the defense industrial base (DIB) and their teaming partners that support the DOD to provide assurance to the CMMC model based on NIST 800-171 levels by 2025. The vision for this DOD program states: “Be a unified cybersecurity standard for DOD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) for the Defense Industrial Base (DIB).” Read more about CMMC on the DOD website HERE.

The requirements for the CMMC model and supporting accreditation requirements continue to evolve. As of November 4, 2021, the CMMC model v2.0 was announced and changes the original v1.02 model. CMMC 2.0 was published in December 2021 followed by additional documentation that includes scoping and assessment guides. An overview of CMMC, a summary of changes and related documentation is available here. The CMMC Accreditation Body supports the ecosystem of providing licensed and registered entities to support consulting, assessments, and training.

A few key takeaways on CMMC 2.0

  • CMMC Model 1.02 has been replaced with CMMC 2.0.
    • Key takeaway – Any work done towards implementation is not wasted, as it further supports the organization’s effort to improve its cybersecurity posture.
  • CMMC 2.0 no longer includes unique practices and maturity processes.
    • Key takeaway – CMMC is streamlined from 5 levels to 3 levels.
      • Level 1 – now called Foundational, still looks much like the original, and focuses on FCI with 17 practices.
      • Level 2 – now called Advanced, is aligned with NIST SP 800-171 (110 controls).
      • Level 3 – now called Expert, will be based on NIST SP 800-172, and is not yet defined.
  • CMMC Level 1 (Foundational) will be achieved through self-assessment.
    • Key takeaway – A senior official from the organization must sign an affirmation of validity.
  • CMMC Level 2 (Advanced) may require C3PAO certification or allow self-assessment depending on the risk level of the CUI being handled (still to be defined).
    • Key takeaway – This still needs more structure and definition.
  • CMMC Level 3 (Expert) will be assessed by government officials (still to be defined).
  • CMMC 2.0 full program will take effect once rulemaking is complete. (≈Spring 2023)
    • Key takeaway – CMMC is here to stay, so continue improving cybersecurity posture to the NIST SP 800-171 — including the NFO controls in Appendix E.

Where does this leave your organization in meeting the CMMC requirements?

Since CMMC 2.0 has removed the additional complexity of unique practices and maturity processes, NIST SP 800-171 is the governing standard. Therefore, the continued emphasis should be:

  1. If you don’t expect to need to be at Level 2 (Advanced), focus on the FCI requirements.
  2. If you have an SSP in the SPRS database, make sure it is as up to date as possible and prioritize closing POA&Ms.

Remember, the DFARS 252.204-7012 and DFARS 252.204-7019 are already in place and compliance is not new.

How will Radian Compliance support CMMC requirements?

Our experience and abundance of knowledge of information security frameworks including NIST SP 800-171, allow us to competently support organizations in implementing CMMC requirements.
If you are:

  • A certified ISO 27001:2013 organization, streamline the CMMC standard into existing or new controls.
  • Seeking ISO 27001:2013 certification, added to our existing pre-certification methodology.
  • Seeking CMMC support only, our methodology will provide the necessary support to make decisions and implement the controls appropriate to your organization’s business needs.
  • In need of updating NIST 800-171 requirements to the system security plan (SSP) for input into the SPRS database in readiness for CMMC.

Radian has consultants who hold Registered Partner (RP) designations, and intends to add Certified Professionals (CP) once that training is in place. We will not, however, provide the C3PAO services as we believe (as we do with ISO) that it is a conflict of interest to consult and externally audit against these frameworks.

Radian will adapt our 100% successful ISO methodology to the CMMC model with:

Scope and Gap Analysis: Identify the depth of CUI and FCI data to be protected. Perform a gap analysis of the CMMC requirements against client’s current security controls to identify a baseline level of 1 or 2.

Implementation: Support the client with gap remediation, and implementation of necessary controls, processes and policies.

Pre-assessment: Based on CMMC-AB requirements, perform a pre-assessment of the fully implemented set of CMMC requirements against expected maturity level.

Certification Support and Post Certification Improvement: Provide assistance during certification audits and ongoing support to maintain compliance and improvements.

Related Posts & Links