Cybersecurity Maturity Model Certification

(CMMC)

Radian is recognized by the CMMC-AB as a Registered Provider Organization™ (RPO).

What is the Cybersecurity Maturity Model Certification (CMMC)?

The Department of Defense (DOD) has issued a mandate for all government contractors within the defense industrial base (DIB) and their teaming partners that support the DOD to provide assurance to the CMMC model based on NIST 800-171 levels by 2025. The vision for this DOD program states: “Be a unified cybersecurity standard for DOD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) for the Defense Industrial Base (DIB).”

The requirements for the CMMC model and supporting accreditation requirements continue to evolve. As of November 4, 2021, the CMMC model v2.0 was announced and changes the original v1.02 model.  While we wait for its publication, you can review a summary of changes here. The CMMC Accreditation Body (CMMC-AB) supports the eco-system of providing licensed and registered entities to support consulting, assessments, and training. Learn more about the CMMC-AB here.

A few key takeaways on CMMC 2.0

  • CMMC Model 1.02 is NO LONGER available.
    • Key takeaway – Any work you have done is not wasted as it further supports your organization’s effort to improve its cybersecurity posture. However, continuing to implement the requirements of CMMC 1.02 to gain certification is no longer required.
  • CMMC 2.0 no longer includes unique practices and maturity processes.
    • Key takeaway – CMMC is streamlined from 5 levels to 3 levels.
      • Level 1 – now called Foundational, still looks much like the original and focuses on FCI with 17 practices.
      • Level 2 – now called Advanced, is aligned with NIST SP 800-171 (110 controls).
      • Level 3 – now called Expert, will be based on NIST SP 800-172 and is not yet defined.
  • CMMC Level 1 (Foundational) will be achieved through self-assessment.
    • Key takeaway – A senior official from the organization must sign an affirmation of validity.
  • CMMC Level 2 (Advanced) may require C3PAO certification or allow self-assessment depending on the risk level of the CUI being handled (still to be defined).
    • Key takeaway – This still needs more structure and definition.
  • CMMC Level 3 (Expert) will be assessed by government officials (still to be defined).
  • CMMC 2.0 full program is expected to take for 9 – 24 months to complete all rulemaking requirements.
    • Changes to the program are being released through an interim rule which requires a 60-day comment period
    • CMMC 2.0 Model is expected to be released at the end of November.

Where does this leave your organization in meeting the CMMC requirements?

Since CMMC 2.0 has removed the additional complexity of unique practices and maturity processes, NIST SP 800-171 is the governing standard. Therefore, the continued emphasis should be:

  1. If you don’t expect to need to be at Level 2 (Advanced), focus on the FCI requirements which are the same as Level 1 in CMMC 1.02.
  2. If you have an SSP in the SPRS database, make sure it is as up to date as possible and prioritize closing POA&Ms.

Remember, the DFARS 252.204-7012 and DFARS 252.204-7019 are already in place and compliance is not new.

How will Radian Compliance support CMMC requirements?

Our experience and abundance of knowledge of information security frameworks including NIST SP 800-171, allow us to competently support organizations in implementing CMMC requirements. If you are:

  • A certified ISO 27001:2013 organization, streamline the CMMC standard into existing or new controls.
  • Seeking ISO 27001:2013 certification,  added to our existing pre-certification methodology.
  • Seeking CMMC support only, our methodology will provide the necessary support to make decisions and implement the controls appropriate to your organization’s business needs.
  • In need of updating NIST 800-171 requirements to the system security plan (SSP) for input into the SPRS database in readiness for CMMC.

Radian has consultants who hold Registered Partner (RP) designations and intends to add Certified Professionals (CP) once that training is in place.  We will not, however, provide the C3PAO services as we believe (as we do with ISO) that it is a conflict of interest to consult and externally audit against these frameworks.

Radian will adapt our 100% successful ISO methodology to the CMMC model with:

Scope and Gap Analysis: Identify the depth of CUI and FCI data to be protected.  Perform a gap analysis of the CMMC requirements against client’s current security controls to identify a baseline level of 1 or 2.

Implementation: Support the client with gap remediation and implementation of necessary controls, processes and policies.

Pre-assessment: Based on CMMC-AB requirements, perform a pre-assessment of the fully implemented set of CMMC requirements against expected maturity level.

Certification Support and Post Certification Improvement:  Provide assistance during certification audits and ongoing support to maintain compliance and improvements.

Become Dod Compliant Today

Related Posts & Links

Menu