Cyber Maturity Model Certification

Service Overview

What is the CMMC?

The DoD’s Cybersecurity Maturity Model Certification (CMMC) will serve as the verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place across the DoD’s industry partners and suppliers. The CMMC combines various cybersecurity standards and best practices, listed below, into a model where maturity and practice

FAR Clause 52.204-21

NIST SP 800-171 Rev 1

Draft NIST SP 800-171B

CIS Controls v7.1

NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1

CERT Resilience Management Model (CERT RMM) v1.2

NIST SP 800-53 Rev 4

Others such as, UK NCSC Cyber Essentials, or AU ACSC Essential Eight

Key Benefits:

CMMC Readiness Assessment:

Assist organizations in choosing an appropriate goal level of CMMC certification (Level 1 through Level 5).

Identify gaps between the organization’s current state and required state to achieve the desired level of CMMC certification.

Assist organizations in developing an internal project plan to remediate gaps and prepare for a CMMC audit once the certification body has released the certification requirements and assessors have been trained and authorized.

Cybersecurity Best Practices

The CMMC model contains 171 cybersecurity best practices:

Level 1: Basic safeguarding of client data

Level 2: Intermediate implemented safeguards in place

Level 3: Good broad protection of Controlled Unclassified Information (CUI)

Level 4: Proactive Reduction of Risk from Advanced Persistent Threats

Level 5: Advanced Reduction of Persistent Threats/Progressive Security

Level 1

Basic safeguarding of client data

Level 2

Intermediate implemented safeguards in place

Level 3

Good broad protection of Controlled Unclassified Information (CUI)

Level 4

Proactive Reduction of Risk from Advanced Persistent Threats

Level 5

Advanced Reduction of Persistent Threats/Progressive Security

Additional information on CMMC model may be found here.

What Is Audited With CMMC?

CMMC works much like a NIST standard wherein 17 domains of controls and procedures are audited against an established standard. These areas include:

Access_Control-V3-150px

Access Control (AC)

Awareness-V2-150px

Awareness and Training (AT)

Threat-Monitoring-V2-150px

Asset Management (AM)

Audit-V2-150px

Audit Accountability (AU)

Configuration-V2-150px

Configuration Management (CM)

User-Authentication-V3-150px

Identification and Authentication (IA)

Prioritize-V2-150px

Incident Response (IR)

Shield-150px

Maintenance (MA)

Personal-Security-V1-150px

Personnel Security (PS)

Recovery-V1-150px

Recovery (RE)

Containment-V2-150px

Risk Management (RM)

File-Protection-Monitor-150px

Security Assessment (CA)

IDS-Tech-V3-150px

Situational Awareness (SA)

Protected-Communications-V1-150px

System and Communication Protection (SC)

Integrity-V2-150px

System and Information Integrity (SI)

How It Works

Step by Step the CMMC Readiness Assessment Process

Step 1: Project Scope

Our Security specialist will schedule a series of calls to determine the in-scope environment and gather the necessary personnel and resources.

Step 2: Selection of CMMC Certification Level

Your MegaplanIT team will review each of the CMMC certification levels along with your business drivers for achieving CMMC certification to help you determine the most appropriate level of certification for your organization.

Step 3: Validation of CMMC security controls

MegaplanIT will test all systems and their respective controls against the CMMC security compliance standard.

Step 4. Draft reports and QA Process

We will draft a report highlighting any significant deficiencies or gaps uncovered during the testing phase.

Step 5. Trusted advisory and remediation

Throughout the assessment process, your security consultants will oversee the addition of any new devices,applications, or infrastructure that could affect your CMMC-compliant status. If you have a question, our dedicated team will be there to help.

Levels & Descriptions

Each domain contains a set of defined processes and practices which align to the level of practice progression, or implementation, as defined above and in the right side of the graphic below. In addition, the institutionalization, or maturity, of the processes and practices is assessed as shown in the left side of the graphic below. An organization must demonstrate both maturity and implementation of processes and practices to be certified at a given level.

CMMC Readiness Assessment

Currently, the CMMC Accreditation Body is in the process of developing the standard to be used for applying the model and preparing to certify trainers for educating assessors. Until the CMMC AB has released the training and assessors have been authorized, organizations cannot be audited for CMMC compliance. Instead, organizations should focus on DFARS/NIST SP 800-171 compliance as the minimum preparation for CMMC.

Why is the CMMC useful?

All new contracts and Requests for Information from the Department of Defense (DoD) and its vendors will require specific levels of CMMC compliance by 4Q 2020. Any company wishing to do business with the DoD, or a DoD vendor will need to prove their compliance with CMMC. In addition, the CMMC provides a gauge for the auditing of organizational processes and procedures along with appropriate supporting evidence to expose areas in need of improvement to protect intellectual property and sensitive information. The Council of Economic Advisors estimates the cost of malicious cyber activity in the billions of dollars for the U.S. economy alone. Strong cybersecurity controls are one step all organizations can take to protect their most valuable assets, regardless of the industry they serve. Certification levels for each organization are validated by a CMMC Third Party Assessment Organization authorized and trained to perform the work by the CMMC Accreditation Body.  Organization’s compliance with CMMC will go beyond the current DFARS 252.204-7012 self-attestation and is valid for three years

Some examples of audits and assessments that MegaplanIT conducts that can support CMMC is included, but not limited to the following:

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Classification
Tier 1
Tier 2
Tier 3
High
One Hour
Continuous effort
Continuous business-day effort
Medium
Four- to six-hour response time
Continuous business-day effort
Worked on a time-available basis
Low
Response by next business day
Worked on a time-available basis
Worked on a time-available basis
Classification
Criteria
High
Problem affects time-critical applications with production work substantially degraded. Software is completely unusable and no known workaround is currently available. The affected system is a necessary component of the customer’s production process.
Medium
Software significantly impaired such that customer’s key business processes cannot be conducted and no known work-around is currently available.
Low
Software is functional; however there is minimal impact to the customer’s ability to use the software for production purposes.
Template is not defined.