What is the Cybersecurity Maturity Model Certification (CMMC)?

 



The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.

The DoD implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through the release of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204–7012 in October 2016. The DFARS directed DoD Contractors to self-attest that adequate security controls were implemented within contractor systems to ensure that CDI confidentiality was maintained. The security controls required to be implemented by the DFARS are defined within National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started the process of creating the CMMC in March 2019, with the finalization of the CMMC v1.0 expected in January 2020.

CMMC in the Near-Term

CMMC will not be required for all contractors immediately and will be phased in for certain DoD-identified contractors beginning in September 2020. When fully operational, the CMMC will be mandatory for all entities doing business with the DoD at any level. Prime contractors, and their subcontractors, will be required to meet one of the five CMMC trust levels, and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. Initial Award, or continuance, of a DoD contract will be dependent upon CMMC compliance. No contractor organizations will be permitted to receive or share DoD information related to programs and projects without having completed the CMMC process. At the time that a contractor’s contract is up for renewal they must be CMMC compliant.

In January 2020 the CMMC will release a checklist for contractors which will allow them to identify how well they currently comply with the framework, and to assist with planning and implementing security maturity tasks. The CMMC will be included as a component of Requests for Information (RFIs) in mid-2020 and is expected to be included in Requests for Proposal (RFPs) by late 2020. The required CMMC compliance level will be contained in sections L & M of RFPs, making cybersecurity an “allowable cost” in DoD contracts.

CMMC will combine elements of various cybersecurity control standards such as NIST SP 800–171, NIST SP 800–53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for CUI cybersecurity.

CMMC Timeline
May 2019: Version 0.1
July 2019: Version 0.2 identified and reviewed
September 2019: Version 0.4 released
October 2019: CMMC implemented requirements released
November 2019: Version 0.6 to be released for public review
January 2020: Version 1.0 finalization expected; compliance checklist released
June 2020: CMMC will begin appearing in RFIs
September 2020: CMMC Will Begin Appearing in RFPs

To Know more about the CMMC , Read Complete article at – CMMC Certification Model

For more information regarding CMMC certification, contact us at info@a-lign.com or call 1–888–702–5446.

To Know more about CMMS Sercices, visit at — A-LIGN

Source

Comments

Post a Comment

Popular posts from this blog

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2 or Readiness Assessment?

Image
  SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats. For organizations seeking a SOC 1 , SOC 2 , or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation. With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3. We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment. SOC 1 Report A SOC 1 report foll...
Read more

What is NIST 800-171?

Image
  Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171. Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information. National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. What is Controlled Unclassified Information (CUI)? CUI is information crea...
Read more

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond

Image
  With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! CMMC 2.0Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0 , three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allo...
Read more