Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification or CMMC provides a standard set of controls for the implementation of cybersecurity across the US Government and Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department of Defense that a DIB company can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), accounting for information flow down to subcontractors in a multi-tier supply chain.
DoD contractors must show compliance to CMMC to verify they have sufficient controls to safeguard sensitive data, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC measures cybersecurity fitness using five levels where process and practice maturity increases with each level.
ControlCase CMMC Gap Assessment
To help organizations get ready for CMMC, ControlCase provides a complete CMMC Assessment designed to identify gaps and help with remediation efforts required to meet CMMC requirements. The assessment includes a review of the 14 domains and controls associated with the CMMC level you wish to achieve.
| Access Control (AC) | Media Protection (MP) |
| Audit and Accountability (AU) | Physical Protection (PE) |
| Awareness and Training (AT) | Personnel Security (PS) |
| Configuration Management (CM) | Risk Assessment (RA) |
| Identification and Authentication (IA) | Security Assessment (CA) |
| Incident Response (IR) | Systems and Communications Protection (SC) |
| Maintenance (MA) | System and Information Integrity (SI) |
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).
When did CMMC go in effect?
The CMMC v2.0 standard was released by the US Department of Defense (DoD) in November 2021 and will became a contract requirement once the DoD rulemaking process is completed.
What does CMMC do?
CMMC aims to standardize and improve cybersecurity practices within the Defense Department and Defense Industrial Base (DIB) ecosystem. It ensures that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
Who does CMMC apply to?
CMMC applies to DIB contractors whose unclassified networks possess, store, or transmit CUI as well as DIB contractors whose unclassified networks possess Federal Contract Information (FCI).
What are the CMMC Levels?
There are 3 CMMC Levels; each with associated controls and processes. CMMC Level 3 Certification is the highest (demonstrating expert cyber hygiene); while Level 1 indicates foundational cyber hygiene. CMMC Level 2 is great benchmark to target as it indicates “advanced cyber hygiene” and demonstrates full compliance with NIST SP 800-171 r1 and the Federal Acquisition Regulation (FAR). The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).
Who can provide CMMC assessments?
Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level. ControlCase will assist with getting you ready for the assessment – we provide gap assessment and remediation support.
NIST 800-171 Applicability
The purpose of NIST 800-171 is to provide federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). These requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. NIST 800-171 consists of 110 security requirements broken down into 14 control families taken from FIPS 200 and NIST 800-53:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
ControlCase NIST 800-171 Readiness Assessment
ControlCase provides the readiness assessment to identify gaps and help with remediation efforts required to meet NIST 800-171 requirements. The assessment includes a review of the 14 domains and 110 controls. ControlCase provides a Readiness Assessment Report to identify any control weaknesses that should be addressed allow your organization to achieve compliance with NIST 800-171.
ControlCase NIST 800-171 Compliance Assessment
Controlcase performs a full NIST 800-171 audit of your environment and provides your organization with a report that documents the results of the assessment and will clearly identify what was tested and what was not tested as part of the assessment, especially related to non-applicable controls and inherited controls from leveraged systems. Included with the report is a Plan of Actions and Milestones (POA&M) to allow remediation of identified security control weaknesses.