Understanding and Implementing CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a mechanism that integrates best practices from various cybersecurity standards to ensure government contractors protect critical government information assets. It was developed by the Department of Defense (DoD) with collaboration from industry partners and other government agencies to obtain widespread dedication to cybersecurity hygiene – not just as a checklist but as a standard, industry-wide practice. The CMMC is intended to be applied by DoD government contractors that work with controlled unclassified information (CUI), both prime and subcontractor. The CMMC does not cover classified information or Sensitive Compartmented Information Facilities (SCIF). The CMMC was released in early 2020 and will be applied to all DoD procurements by 2026. It is currently in motion to be implemented with civilian agencies over time.
Getting Started on the CMMC Journey
CMMC compliance will eventually be required for all DoD contracts and we recommend that organizations start early and find their ‘cyber helpers’ to assist in their information security transformation. There are five progressing levels within the CMMC, from Basic to Advanced. Stepping up to even the first maturity level can be a heavy lift for any organization that does not have an existing quality improvement framework in place. There will be infrastructure investment and information security training needed, especially for organizations that are not familiar with other information security standards, such as ISO 27001 or NIST 800-171.
Based off of our own lessons learned with security self-attestation and ISO 27001 registration, we know that cybersecurity hygeniene is not just a timebound corporate initiative. Instead, it is a transformation of the way an organization proactively protects information assets. CMMC is not just a compliance checklist, it is a tool that enables information security to be a part of the way you do business.
The Path to Obtaining CMMC Compliance
The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), an independent non-profit organization, has been created to work with the DoD to oversee CMMC assessments. The CMMC-AB has established working groups with leading experts to develop the accreditation framework. The DoD has no oversight of the certification process. CMMC audits will be performed by an external assessor and is a pass/fail assessment based on an organization’s cybersecurity hygiene ability. The CMMC-AB will be approving Certified Third-Party Assessment Organizations (C3PAOs) to perform these audits. For timelines and updates, visit the accreditation board website.
Finding Helpers on Your Cybersecurity Journey
Prior to certification, organizations needs to have a plan of attack and a well thought out implementation approach. Citizant has a recommended 5-step process towards CMMC adoption. We have used this methodology repeatedly for ISO27001, as well as other industry certifications like CMMI and ISO9001. We understand cross-model connections and how to map current practices to certification requirements. We have experience conducting information security gap analysis and building plans of actions and milestones (PoAMs). Our approach includes the use of a multi-model cyber hygiene compliance tool that enables us to take a pulse of the organization at any point in time against CMMC and other security standards.
Let Citizant be your partner as your organization begins its journey to obtain CMMC accreditation. Leverage our milestones-to-success model to become compliant and ready for certification. Email us at firstname.lastname@example.org to learn more.