CMMC: An Introduction to the Cyber Maturity Model Certification

Incorporation of these business practices into your information security governance model will assist in securing your environment and compliance with the standard.

As the standard is implemented it retains a hierarchical system in which all compliance objectives for Level 1 compliance must be attained and be built upon for Level 2 compliance. Additional information on the CMMC model may be found here.

What is audited with CMMC?

CMMC works much like a NIST standard wherein 17 domains of controls and procedures are audited to an established standard. These areas include:

Each domain area is audited against an established standard to achieve a level (L1-L5) of compliance with the CMMC standard. Audits performed against these criteria per the maturity model are listed using the convention [DOMAIN].[LEVEL].[PRACTICE NUMBER] where:

• DOMAIN is the two-letter domain abbreviation;
• LEVEL is the level number; and
• PRACTICE NUMBER is the identifier assigned to that practice.

The focus of the CMMC standard is to audit processes and procedures in place for the protection of data in transit and at rest of information security systems. Systems in scope may include company secrets, client databases and any other information that may be classified or otherwise not public facing for the infrastructure of your business.

Why is the CMMC useful?

The CMMC is a gauge for an organization the auditing of their processes and procedures along with appropriate supporting evidence to expose areas of improvement within their infrastructure. Practices and processes may be improved, changed, or removed from corporate policies and practices as they may not align with the entity’s overall information security stratagem. Congruence with the CMMC may prove to your government-contracted client that your business has been audited against their standards and is actively making improvements to the governance model of your business.

According to Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition, (A) CMMC standards will begin populating RFPs for DoD contractors by the fall of this year with a full rollout expected to be complete within 5 years. Compliance with the standard will ensure a leading edge in the selection process to become a DoD contractor.

Why MegaplanIT?

MegaplanIT Holdings, LLC provides a trusted advisory and assistance at a pace convenient to continue business as usual. Our business processes, tools, and technical expertise will ensure that the audit process is expedient and cost-effective as to eliminate downtime and resource requests. MegaplanIT is involved in several audits also found within the CMMC model including but not limited to:

• NIST 800-171
• NIST 800-53
• NIST Cyber Security Framework
• PCI-DSS
• PA-DSS
• ISO 17020
• ISO 27001-27002