DOD CMMC Standard
What is the DOD CMMC Standard?
The Department of Defense (DoD) created the DOD CMMC certification protocol to ensure that contractors have the safeguards in place to protect confidential data such as Federal Contract Information and Controlled Unclassified Information (CUI).
The Cybersecurity Maturity Model Certification (CMMC), which replaces the self-attestation model and moves to third-party certification, is a new prerequisite for existing DoD contractors.
The credential is based on NIST SP 800-171, NIST SP 800-53, and AIA NAS9933, among other standards. This new certification aims to improve cybersecurity in the defense industry. Contractor cybersecurity activities are assessed using CMMC, which has five levels.
If they want to bid on new government contracts, all DoD contractors must be CMMC accredited by October 2020. A qualified assessor must conduct the audit.
What are the requirements for CMMC?
The CMMC model integrates different cybersecurity control standards, such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into a single unified cybersecurity standard. The CMMC assesses a company's institutionalization of cybersecurity policies and procedures in addition to cybersecurity control requirements.
The CMMC incorporates a variety of cybersecurity principles and best practices, mapping these controls and processes through many maturity levels ranging from basic to advanced cyber hygiene.
The following are the five CMMC levels:
Level 1 – “Basic Cyber Hygiene” – To pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
Level 2 – “Intermediate Cyber Hygiene” – To pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
Level 3 – “Good Cyber Hygiene” – To pass an audit for this level, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 13 new “Other” controls.
Level 4 – “Proactive” – To pass an audit for this level, the DoD contractor will need to implement 11 controls of NIST 800-171 RevB plus 15 new “Other” controls
Level 5 – “Advanced / Progressive” – To pass an audit for this level, the DoD contractor will need to implement the final 4 controls in NIST 800-171 RevB. plus 11 new “Other” controls
Why should you be CMMC compliant?
For businesses who wish to do business with the US Department of Defense, CMMC is a new prerequisite. It requires third-party verification of contractor security and demands that all companies in their supply chain handle their partners with the same diligence.
The CMMC serves as a verification to see whether DIB organizations are using acceptable cybersecurity policies and procedures to secure Federal Contract Information (FCI) and Regulated Unclassified Information (CUI) on their unclassified networks.
Non-compliance will hurt your company's profit margins, as contractors who do not pass the certification will be unable to bid on DoD projects.
How to achieve DOD CMMC compliance?
The Department of Defense will use accredited third-party assessor organizations (C3PAOs) to perform audits on DoD Contractor information systems to ensure that they have reached the required standard of cybersecurity controls. If a DoD contractor complies with 100 percent of the controls for a given Level, they will be assigned a certification Level of 1-5 based on this audit.
Through the Centraleyes platform, organizations can gain full visibility to their cyber risk levels and compliance. In addition to using its integrated CMMC questionnaire with an easy follow-up system to help track and close vulnerable areas, it eases the process towards meeting compliance. The platform also allows you to start an assessment around the NIST 800-171 framework, while walking you through all the requirements that need to be met for this prerequisite. The final report that is needed for SPRS submission will be automatically created by the platform.