the DoD's Cybersecurity Maturity Model (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) is a new standard being implemented across the Defense Industrial Base (DIB) as a response from the Department of Defense (DoD) due to a significant amount of sensitive data compromises. CMMC will provide guidance and protection of sensitive data, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) through 17 domains. Each domain is composed of processes that range from ‘Performed’ at Level 1 to ‘Optimizing’ at Level 5 and the practices range from ‘Basic Cyber Hygiene’ at Level 1 to ‘Advanced/Progressive’ at Level 5. The CMMC framework includes 5 certification levels based on the maturity and stability of the infrastructure to support DoD sensitive information. Each level includes additional practices and processes with each level being inclusive of lower-level practices.
What CMMC will require
While DFARS is the current standard, CMMC will require DoD contractors to become CMMC certified. This will include all suppliers at all tiers along the supply chain, small businesses, commercial item contractors, and foreign suppliers. For contracts that require CMMC, certification will we required for consideration.
CUI Data Protection
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. Through the CMMC maturity levels, one of the main goals of the CMMC is to safeguard CUI for DoD contractors and organizations.
Development of System Security Plan Documentation
Developing and implementing a System Security Plan (SSP) is crucial for DFARS and future CMMC compliance. It documents the people, technology, and processes related to the CUI environment. This document is a "living" document and will continually be updated as the CUI environment changes. The SSP is also a central document for the NIST 800-171 controls and acts as a "repository" for the CUI environment. The SSP will be required and will be asked for by a CMMC Auditor.
Internal Cybersecurity Program
The CMMC Accreditation Board (AB) establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the CMMC Program.
External Audit & Certification
The CMMC AB, a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. Only C3PAOs and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.
Need Help Preparing for CMMC?
Impact Washington has teamed up with Ignyte Institute to provide CMMC Readiness Training Modules. Training provides participants with the tools and resources needed to self-manage and prepare for their organizations’ compliance. Participants will learn the material through interactive sessions while having the ability to join into a larger pool of candidates looking to create roadmaps, track milestones and control the entire process for managing compliance and cybersecurity for their organization.
for FALL Training
Modules Now Open