THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) IS THE NEW CERTIFICATION PROCEDURE PUT IN PLACE BY THE DEPARTMENT OF DEFENSE (DOD) IN AN EFFORT TO PROPERLY SECURE THE DEFENSE INDUSTRIAL BASE (DIB). THIS CERTIFICATION VERIFIES THAT CONTRACTORS HAVE ADEQUATE CYBERSECURITY CONTROLS AND POLICIES IN PLACE TO MEET THE SECURITY STANDARDS OF THE MILITARY. THE DOD IS UNDERGOING AN INDUSTRY-WIDE CULTURAL SHIFT WITH SIGNIFICANT IMPACT AND ELEVATED PENALTIES FOR NON-COMPLIANCE. PENALTIES COULD INCLUDE THE LOSS OF DOD BUSINESS, PERSONAL AND CORPORATE LIABILITY, AND NEGATIVE CORPORATE BRAND IMPACT.  

EVERY DOD CONTRACT THAT GOES OUT FOR PROPOSAL WILL HAVE A CMMC PRE-QUALIFICATION REQUIREMENT AND EVERY VENDOR ON THAT CONTRACT MUST HAVE A CMMC CERTIFICATION. 

The CMMC incorporates a variety of security controls from some of the other existing frameworks and standards. The CMMC has five cumulative maturity levels ranging from basic cyber hygiene to advanced security operations.

• Level One: Basic Cyber Hygiene (Performed). This level targets safeguarding of Federal Contract Information (FCI).
• Level Two: Intermediate Cyber Hygiene (Documented). This level targets establishing and documenting practices and policies for CMMC compliance.
• Level Three: Good Cyber Hygiene (Managed). This level targets having the basic ability to protect CUI and effective implementation of the security requirements of NIST SP 800-171.
• Level Four: Proactive (Reviewed).  This level targets the requirement of enhanced cybersecurity practices that can defend CUI from advanced persistent threats or malicious long-term attacks to mine for sensitive information.
• Level Five: Advanced/Progressive (Optimized).  This level focuses on the protection of CUI from APTs through the sophisticated ability to optimize cybersecurity capabilities.

The levels are cumulative so compliance with a higher level requires meeting all of the previous lower level security and technical specifications.

The CMMC has launched as one of the most stringent cybersecurity standards ever developed, which is why it took months to develop. With 171 controls spread across 17 categories, CMMC is undoubtedly more comprehensive and arguably more thorough than any similar framework.

Regardless of what DoD information your organization will hold, transmit, or process, you’ll need to achieve the CMMC certification level listed in your contract. In fact, you can’t even bid on a DOD project unless you are CMMC certified and can provide proof.

To get started on the path to compliance, DIB companies need to determine if they are handling CUI. Once they determine where they currently are and what type of information they are handling, they should conduct a gap analysis and create a plan of action with milestones for how to get to where they need to be.

To take the first step in finding out more about how 2W Tech can help your organization align its security strategy and processes with CMMC, please complete the form below.