What is the CMMC?
The CMMC is a new government standard that combines various cybersecurity standards and best practices to a grading scale of maturity in which the assessed is compared. The CMMC is born out of a relationship for a standard security model for government entities such as the DoD and created by Carnegie Mellon University and Johns Hopkins University Applied Physics Laboratory, LLC. The CMMC contains five levels (L1-L5) with L5 being the most stringent, incorporating popular standards such as:
- FAR Clause 52.204-21
- NIST SP 800-171 Rev 1
- Draft NIST SP 800-171B
- CIS Controls v7.1
- NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
- CERT Resilience Management Model (CERT RMM) v1.2
- NIST SP 800-53 Rev 4
- Others such asUK NCSC Cyber Essentials, or AU ACSC Essential Eight
Level 2: Intermediate implemented safeguards in place
Incorporation of these business practices into your information security governance model will assist in securing your environment and compliance with the standard.
As the standard is implemented it retains a hierarchical system in which all compliance objectives for Level 1 compliance must be attained and be built upon for Level 2 compliance.Additional information on CMMC model may be found here.
What is audited with CMMC?
CMMC works much like a NIST standard wherein 17 domains of controls and procedures are audited to an established standard. These areas include:
|Access Control (AC)||Asset Management (AM)||Audit and Accountability (AU)|
|Awareness and Training (AT)||Configuration Management (CM)||Identification and Authentication (IA)|
|Incident Response (IR)||Maintenance (MA)||Media Protection (MP)|
|Personnel Security (PS)||Physical Protection (PE)||Recovery (RE)|
|Risk Management (RM)||Security Assessment (CA)||Situational Awareness (SA)|
|System and Communications Protection (SC)||System and Information Integrity (SI)|
Each domain area is audited against an established standard to achieve a level (L1-L5) of compliance with the CMMC standard. Audits performed against these criteria per the maturity model are listed using the convention [DOMAIN].[LEVEL].[PRACTICE NUMBER] where:
- DOMAIN is the two-letter domain abbreviation;
- LEVEL is the level number; and
- PRACTICE NUMBER is the identifier assigned to that practice.
The focus of the CMMC standard is to audit processes and procedures in place for the protection of data in transit and at rest of information security systems. Systems in scope may include company secrets, client databases and any other information that may be classified or otherwise not public facing for the infrastructure of your business.
Why is the CMMC useful?
The CMMC is a gauge to an organization for the auditing of their processes and procedures along with appropriate supporting evidence to expose areas of improvement within their infrastructure. Practices and processes may be improved, changed, or removed from corporate policies and practices as they may not align with the entities overall information security stratagem. Congruence with the CMMC may prove to your government contracted client that your business has been audited against their standards and are actively making improvements to the governance model of your business.
According to Katie Arrington the Special Assistant to the Assistant Secretary of Defense for Acquisition, (A) CMMC standards will begin populating RFPs for DoD contractors by fall of this year with full roll out expected to complete within 5 years. Compliance with the standard will ensure a leading edge in the selection process to become a DoD contractor.
MegaplanIT Holdings, LLC provides a trusted advisory and assistance at a pace convenient to continue business as usual. Our business processes, tools, and technical expertise will ensure that the audit process is expedient and cost effective as to eliminate down time and resource requests. MegaplanIT is involved in several audits also found within the CMMC model including but not limited to:
- NIST 800-171
- NIST 800-53
- NIST Cyber Security Framework
- ISO 17020
- ISO 27001-27002