CMMC
The United States Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) program to assess defense contractors’ cybersecurity skills, readiness, and competence. The framework is a combination of procedures, guidelines, and inputs from existing cybersecurity standards like the National Institute of Standards and Technology (NIST), Federal Acquisition Regulation (FAR), and Defense Federal Acquisition Regulation Supplement (DFARS) at a high level.
How to get compliant
CMMC mandates a third-party auditor to validate compliance through assessment by CMMC third-party assessor organizations (C3PAOs).
What is the purpose?
The CMMC program’s primary purpose is to increase the trustworthiness and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) maintained by Federal contractors. CMMC assures the Department that contractors and subcontractors follow DoD cybersecurity requirements by embedding cybersecurity standards into procurement programs.
Who does it apply to?
Companies wishing to be considered for future DoD tenders will be met with a requirement for CMMC. This applies to leading suppliers (primes) and sub-suppliers (subs). If they are not already subject to NIST 800-171, existing subcontractors will meet the exact requirements in ex-contract extensions.
In the future, the DoD will indicate the required level of security to be considered for the individual tenders. Tenders where CUI is not processed can typically be satisfied with level 1, including FCI, while tenders requiring CUI processing require level 2 or 3. Companies that only deliver “Commercial-Off-The-Shelf” (COTS) products do not need CMMC.
The 3 Levels of CMMC
Foundational
Level 1 is the minimum basic CMMC level, focused on protecting FCI. It includes 17 NIST SP 800-171 requirements with no additional practices. Level 1 is not expected to require assessment by C3PAOs but will require self-assessment by Defense Industrial Base (DIB) organizations.
Advanced
Level 2 is focused on the protection of CUI. It is the equivalent of NIST SP 800-171 and includes the 110 requirements from NIST 800-171.
Expert
Level 3 is focused on highly sensitive CUI. Level 3 will build on the 110 requirements in Level 3 (and NIST 800-171) and include a subset of NIST SP 800-172 requirements. It is expected that Level 3 assessments will represent a minimal number of contract requirements and contractor certifications.
How can ISC help?
As a CMMC 2.0 Compliance and Certification Expert, our company offers comprehensive assistance to help clients achieve compliance with the Cybersecurity Maturity Model Certification (CMMC). Here's how we can support your organization:
Benefits of choosing ISC
Our expertise guarantees a streamlined compliance process that significantly reduces the risk of costly breaches and penalties.Our seasoned team brings extensive experience and in-depth knowledge of industry standards,helping you tailor your approach and identify the scope of your compliance. With our guidance, you can navigate the complex landscape of compliance and certification requirements efficiently and accurately, safeguarding your organization’s critical assets and reputation.