CMMC: An Introduction to the Cyber Maturity Model Certification

What is the CMMC?

The CMMC is a new government standard that combines various cybersecurity standards and best practices to a grading scale of maturity in which the assessed is compared. The CMMC is born out of a relationship for a standard security model for government entities such as the DoD and created by Carnegie Mellon University and Johns Hopkins University Applied Physics Laboratory, LLC. The CMMC contains five levels (L1-L5) with L5 being the most stringent, incorporating popular standards such as:

• FAR Clause 52.204-21
• NIST SP 800-171 Rev 1
• Draft NIST SP 800-171B
• CIS Controls v7.1
• NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
• CERT Resilience Management Model (CERT RMM) v1.2
• NIST SP 800-53 Rev 4
• Others such asUK NCSC Cyber Essentials, or AU ACSC Essential Eight

Incorporation of these business practices into your information security governance model will assist in securing your environment and compliance with the standard.

As the standard is implemented it retains a hierarchical system in which all compliance objectives for Level 1 compliance must be attained and be built upon for Level 2 compliance. Additional information on the CMMC model may be found here.

What is audited with CMMC?

CMMC works much like a NIST standard wherein 17 domains of controls and procedures are audited to an established standard. These areas include:

Each domain area is audited against an established standard to achieve a level (L1-L5) of compliance with the CMMC standard. Audits performed against these criteria per the maturity model are listed using the convention [DOMAIN].[LEVEL].[PRACTICE NUMBER] where:

• DOMAIN is the two-letter domain abbreviation;
• LEVEL is the level number; and
• PRACTICE NUMBER is the identifier assigned to that practice.

The focus of the CMMC standard is to audit processes and procedures in place for the protection of data in transit and at rest of information security systems. Systems in scope may include company secrets, client databases and any other information that may be classified or otherwise not public facing for the infrastructure of your business.

Why is the CMMC useful?

The CMMC is a gauge for an organization the auditing of their processes and procedures along with appropriate supporting evidence to expose areas of improvement within their infrastructure. Practices and processes may be improved, changed, or removed from corporate policies and practices as they may not align with the entity’s overall information security stratagem. Congruence with the CMMC may prove to your government-contracted client that your business has been audited against their standards and is actively making improvements to the governance model of your business.

According to Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition, (A) CMMC standards will begin populating RFPs for DoD contractors by the fall of this year with a full rollout expected to be complete within 5 years. Compliance with the standard will ensure a leading edge in the selection process to become a DoD contractor.

Why MegaplanIT?

MegaplanIT Holdings, LLC provides a trusted advisory and assistance at a pace convenient to continue business as usual. Our business processes, tools, and technical expertise will ensure that the audit process is expedient and cost-effective as to eliminate downtime and resource requests. MegaplanIT is involved in several audits also found within the CMMC model including but not limited to:

• NIST 800-171
• NIST 800-53
• NIST Cyber Security Framework
• PCI-DSS
• PA-DSS
• ISO 17020
• ISO 27001-27002

If you would like to learn more about the Cyber Maturity Model Certification (CMMC) and how MegaplanIT can assist you,

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Setup a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!