Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET REGISTER HERE
CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
Prepare Your Business for CMMC with a Gap Assessment Today
The Cybersecurity Maturity Model Certification (CMMC) represents the latest government effort by the United States Department of Defense (DoD) to adequately secure government data. Government data being utilized and/or developed by vendors with contracts or subcontracts through the U.S. DoD requires some of the best cybersecurity available. This is why the CMMC will soon be required for businesses and manufacturers working with the U.S. DoD.
Several drafts of the CMMC were publically released and public comment was requested. The U.S. DoD took into account public feedback and issued CMMC v1.0 on Jan. 31, 2020. This was updated to v.1.02 on March 18, 2020.
While DFARS 252.204-7012 and NIST SP 800-171 are government regulations that require certain cybersecurity efforts by vendors, the requirements of DFARS 7012 and NIST 800-171 can be completed following the award of a contract and utilizes a self-assessment and attestation process. The new CMMC requires that certain cybersecurity policies, procedures, and controls be implemented prior to the award of a contract as certified by an accredited, independent third-party CMMC assessor. INQUIRE TODAY!
Dox is now a Registered Provider Organization
Registered Provider Organizations (RPOs) supply advice, consulting, and recommendations to their clients regarding the CMMC standards. Through working with an RPO such as Dox, both primary and secondary contractors can gain insight into the requirements of CMMC from an organization with staff trained in basic CMMC methodology by the CMMC Accreditation Body (CMMC AB). Furthermore, RPO’s are bound by a professional code of conduct while providing targeted CMMC assessment preparation to every client.
Benefits of working with an RPO
There are many benefits to working with an RPO, which is authorized to educate clients regarding the CMMC standard and familiarize them with the basic constructs of the CMMC. By offering consulting services including gap assessments to identify shortcomings in cybersecurity best practices, Dox assists clients in moving toward CMMC accreditation with fewer obstacles.
What this means for manufacturers and other businesses working with the U.S. DoD and for the National Aeronautics and Space Administration (NASA) is that Dox will provide advice and recommendations to aid them in preparing for CMMC certification, which is now required on all DoD and NASA contracts. Additionally, DoD and NASA contracts require a flow-down model in which subcontractors must also achieve CMMC certification.
Frequently Asked Questions
What is cybersecurity maturity model certification?
The Cybersecurity Maturity Model Certification (CMMC) represents the latest government effort by the U.S. DoD and NASA to adequately secure government data. Government data being utilized and/or developed by vendors with contracts or subcontracts through the U.S. DoD and NASA require some of the best cybersecurity available. By achieving those cybersecurity standards, companies ranging from engineering to manufacturing and aerospace are able to achieve CMMC certification in order to qualify for future DoD and NASA contracts.
Who needs CMMC certification?
Any business or organization that contracts with the U.S. DoD or NASA or wishes to do so in the future will be required to achieve CMMC certification. This includes any company that is part of the defense contract supply chain. The DoD estimates the CMMC standards will affect approximately 300,000 companies. Most contracts with the DoD and/or NASA will require a certification between Level 1 and Level 3 to qualify for government contracts.
How is CMMC compliance achieved?
The CMMC is the DoD’s verification mechanism designed to ensure cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that exists on Defense Industrial Base (DIB) systems and networks. CMMC compliance is based on achieving certain hygiene levels (1-5) for your businesses environment.
No longer is compliance reached through a self-attestation process. Now businesses wishing to achieve compliance must do so through a third-party Registered Practitioner (RP). Consulting with an RPO such as Dox first will help you identify cybersecurity shortfalls and suggested remediation to address them prior to working with a RP and CMMC Third-Party Assessor Organization (C3PAO). Taking the initial step to work with Dox before moving on to the RP and C3PAO for CMMC certification can save your company both time and money.
What are the CMMC levels?
The CMMC maps cybersecurity best practices and processes through five maturity levels ranging from basic cyber hygiene at Level 1 to the most secure cyber hygiene at Level 5.
How does my business become CMMC compliant?
The process of achieving CMMC compliance starts with Dox. Our trained experts will perform a pre-assessment of your company’s work environment to provide a gap analysis of CMMC at the specific level you wish to achieve. The pre-assessment is Step 1 in determining what work needs to be done first. Step 2 requires applying the suggested remediation for any security shortfalls. Step 3 is when organizations go through the certified assessment process by a certified auditor from a C3PAO against a certain CMMC Level (1-5).
CMMC Affects Primary & Secondary Contractors
In addition to the requirements of the CMMC being fulfilled by the primary contractor, the Office of the Undersecretary of Defense (OUSD) also requires flow down of the requirements to all subcontractors regardless of their size or function for DoD contracts. There are five levels of certification for CMMC. The government will determine the appropriate level required for each contract it administers. The required CMMC level will be contained in sections L and M of the requests for proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts (see information on levels below). The higher the level of CMMC certification your business achieves, the more contracts it will be eligible to bid for.
As of June 2020, government contractors and subcontractors were required to implement CMMC standards for DoD and NASA contracts, according to the OUSD. Vendors are now required to meet or exceed the CMMC cybersecurity requirements included as part of new requests for information (RFI). This is typically one of the first steps in awarding new defense contracts. Businesses working with DoD contracts are required to be certified at the designated CMMC level or they risk losing future contracts.
The CMMC model categorizes cybersecurity best practices at the highest level by domains. There are 17 domains within the current CMMC model and each domain is segmented by a set of capabilities. Capabilities are achievements to ensure cybersecurity objectives are met within each domain. DoD and NASA vendors will be able to demonstrate compliance with the required capabilities by exhibiting adherence to practices and processes, which are mapped to five maturity levels.
The CMMC is comprised of five defined cybersecurity levels. Each level has a set of supporting practices and processes. Level one requires the most basic cyber hygiene while level two requires intermediate cyber hygiene. Level three requires compliance with more practices and processes to achieve good cyber hygiene while level four requires a higher, proactive approach to cybersecurity. Level five is the highest level of CMMC and requires the most advanced and progressive practices and processes. There are nine different practices and processes in place for each one of the 17 domains.
Practices are better known as controls. These practices are broken up by the different levels and each level calls for a variety of practices that must be implemented. The levels are cumulative, meaning a practice required at level one is also required at all higher levels.
Level 1: 17 practices
Level 2: 55 practices (plus L1 practices)
Level 3: 58 practices (plus L1-L2 practices)
Level 4: 26 practices (plus L1-L3 practices)
Level 5: 15 practices (plus L1-L4 practices)
Levels 1-3 include a total of 130 practices that target the greatest and most active components of the U.S. Defense Industrial Base (DIB) government contracts. Levels 4 and 5 include a total of 41 practices that target small subsets of the DIB supporting critical programs. With a total of 171 practices, CMMC has a significantly higher number of controls than previous government regulations to ensure cybersecurity best practices.
Processes are also broken into five levels. These also represent maturity level capabilities per domain.
Level 1: 0
Level 2: 34 processes
Level 3: 17 processes (plus L2 processes)
Level 4: 17 processes (plus L2-L3 processes)
Level 5: 17 processes (plus L2-L4 processes)
How Can Dox Help?
Dox, a certified Exostar partner, achieved accreditation as a third-party CMMC RPO in June 2020. This allows Dox to offer white-glove service to all businesses, regardless of their size, wishing to move toward Cybersecurity Maturity Model Certification. This will enable your organization to move ahead with the DoD bid process without barriers.
As an Exostar partner, Dox also continues to offer assessments for compliance with NIST SP 800-171 and DFARS, which include the requirements of most current DoD contracts. This type of assessment provides insight into your preparedness for CMMC as most of the practices required for CMMC at levels 1, 2, and 3 come from NIST SP 800-171. In fact, every one of the 110 requirements in NIST SP 800-171 appears as a practice within CMMC levels 1, 2, and 3.
Assess and Comply with All Three Types of Security Requirements
Call Dox Today for Regulation Assistance
The CMMC consultants at Dox are here to assist your organization with all of its government and DoD regulation compliance requirements. As a Microsoft Silver Partner, Dox is a certified Microsoft reseller for the Microsoft 365 U.S. Government Community Cloud (GCC) High environment. Dox now offers Microsoft 365 GCC High licensing for companies requiring fewer than 500 licenses to ensure your company meets the requirements of everything from NIST 800-171 to FedRAMP and ITAR.
Many business leaders are confused about which cloud is right for them. For those businesses with government contracts through the DoD or those that fall under DFARS or ITAR requirements, GCC High is a necessity for achieving compliance. DFARS requires the business cloud environment to be FedRAMP compliant as well. Microsoft cannot supply the reporting and compliance requirements of DFARS 7012 paragraphs C through G under the regular public Office 365 offering. Microsoft only certifies DFARS compliance on the GCC High environment.
Don’t worry about becoming regulation compliant. Ensure your business achieves compliance with support from Dox.
Call Dox now at (585) 473-7766 to schedule a free consultation.
Non-Compliance Businesses are Losing Money. Don’t be One of Them.
Now is the time to begin the process of moving toward Cybersecurity Maturity Model Certification if your company hasn’t already done so. According to the Office of the Under Secretary of Defense (OUSD), unless a higher level is specified, all contractors and sub-contractors must meet a minimum of CMMC level 1 requirements. Manufacturers and vendors that are not certified face losing future DoD and NASA contracts as a result. Uncertified businesses will likely see large financial losses as a direct result of failure to achieve certification.
Those businesses that fail to meet the CMMC requirements will experience:
Loss of new DoD contracts
Loss of business reputation
Loss of revenue from DoD contracts
Don’t wait until the last minute to become CMMC certified. If you are slower to achieve certification than your competitors, that puts your business at a distinct disadvantage. With proper certification, you can outbid your competition.
Schedule your CMMC gap assessment meeting now by calling (585) 473-7766. Contact Dox and we will reach out to you as soon as possible to schedule your free initial consultation. INQUIRE TODAY!
Dox performs assessment throughout the United States and offers a separate project team for remediation.