17 Mar SO YOU WANT TO BE CMMC CERTIFIED !
CMMC stands for Cybersecurity Maturity Model Certification. Shortly, all federal agencies, not just the Department of Defense (DoD), will require that their contractors be CMMC certified. And if you are a federal government contractor some of your sub-contractors also may have to be certified. The Cybersecurity Maturity Model is similar to the other maturity models (e.g., CMMI) emanating from the Carnegie Mellon Institute.
CMMC has five levels beginning with Level 1-Basic Cyber Hygiene. Conformance with its seventeen practices demonstrates compliance with the Federal Acquisition Regulation (FAR). Next comes Level 2-Intermediate Cybersecurity. Conformance with its seventy-two practices demonstrates compliance with the FAR plus performing a sub-set of forty-eight practices from the NIST SP 800-171 r1 and an additional 7 practices.
Level 3-Good Cyber Hygiene requires compliance with the FAR, performing all 110 practices from the NIST SP 800-171 r1 and performing an additional 20 practices to support good cyber hygiene. Level 4-Proactive requires everything required for Level-3 plus performing eleven practices from Draft NIST SP 800-171B and an additional 29 practices to demonstrate a proactive cybersecurity program.
The final level is Level 5-Advanced/Progressive. Attaining this level requires compliance with the FAR, performing all 110 practices from the NIST SP 800-171 r1 and performing 15 selected practices from NIST SP 800-171B and an additional 40 practices to demonstrate an Advanced cybersecurity program.
As an organization advances from Level 1 through the levels it demonstrates additional embedding of its cyber operations. The more embedded an activity (cybersecurity) the more likely that the organization will continue to perform that activity, even in time of stress, and the more likely that the outcomes will be consistent, repeatable and of high quality.
There is no self certification for the CMMC. Instead your organization will be audited by an independent organization that is authorized to perform such audits.
The next posting will describe how to prepare for a CMMC audit.