What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) latest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
The DoD CMMC establishes five CMMC certification levels that reflect the maturity and reliability of an organization’s cybersecurity infrastructure to safeguard sensitive government information on contractors' information systems. This DoD CMMC framework is the vehicle by which the government will mandate a contractor’s cyber security maturity level to be verified by an independent third-party audit.
CMMC Timeline
October 2019
CMMC implemented requirements released
January 2020
Version 1.0 finalization; compliance checklist released
June 2020
DOD Signed Memorandum of Understanding with CMMC Accreditation Board
September 2020
Interim version was published
October 2020
CMMC will begin appearing in Requests for information (RFIs)
Early 2021
CMMC will begin appearing in Requests for proposals (RFPs) in early 2021
Are you compliant?
The Cybersecurity Maturity Model Certification (CMMC) is mandatory for all contractors doing business with the DoD at any level. All contractors are required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. No organizations are permitted to receive or share DoD information related to programs & projects without having completed the CMMC Compliance.
Please note: As of October 2020, the CMMC-AB is working through its initial stand up phase and working to meet the requirements of the DoD. So, no contractors are currently CMMC certified.
Request a FREE Consultation now to get a guide towards successful CMMC Certification.
The CMMC Framework
Includes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 34 controls among CMMC cyber security practices.
Includes advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, properly resourced, and are improved regularly across the enterprise. In addition, the defensive responses operate at machine speed and there is a comprehensive knowledge of all cyber assets. This level has an additional 95 controls beyond the first three Levels required by DoD CMMC.
Good CMMC Cyber Hygiene includes coverage of all NIST SP 800-171 Rev. 1 controls and additional practices beyond the scope of current CUI protection. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. This level requires an additional 91 security controls beyond those covered in Levels 1 and 2.
Intermediate CMMC Cyber Hygiene includes universally accepted cybersecurity best practices. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 115 security controls beyond that of Level 1.
Basic CMMC Cyber Hygiene includes basic cybersecurity appropriate for small companies utilizing a subset of universally accepted common practices. The processes at this level would include some performed practices, at least in an ad hoc manner. This level has 35 security controls that must be successfully implemented.
How WCG can help?
It is never too late to evaluate your cybersecurity posture. WCG is your reliable partner that understands the CMMC compliance landscape and has the experience of working with federal third-party vendors. Although the CMMC-AB program is not yet finalized, we are offering consulting and remediation services based on the latest draft version of the certification model to help you get ready for CMMC Compliance. If you do not know where your organization stands, WCG provides the following:
CMMC Consulting
WCG provides
- a top-down assessment and gap analysis of your organization’s cybersecurity posture,
- identification of the CMMC scope to help your organization align with CMMC controls, and
- a comprehensive readiness assessment report with concise and clear recommendations
CMMC Remediation
WCG works with our clients to develop a Plan of Action customized to their organizations to:
- address deficient controls,
- close the gap on CMMC Compliance, and
- reach your desired, targeted CMMC-level and become compliant to get CMMC certification.