2 Industrial Road, Suite 203, Fairfield, NJ 07004

Cybersecurity Maturity Model Certification (CMMC)

The US Department of Defense (DoD) has developed a new certification framework to address cyber risks in supply chains. The new “Cybersecurity Maturity Model Certification” (CMMC) establishes a 5-stage maturity approach for cybersecurity requirements. From June 2020 onwards, the requirements are to be established as part of Sections L and M of the “Request for information” (RFI) and in the tendering process from around September 2020 onwards.

All contractors and subcontractors to the Government have to be certified against one of the five maturity levels of the CMMC by independent auditors. For this reason, companies should work well in advance to determine their degree of maturity and to close any gaps in time. This is the only way to ensure smooth certification, a minimization of risks and qualification in the award process.

How does the CMMC work?

Now let’s read on about the most important aspects of the CMMC and what is necessary to coordinate security processes, specifications and practices in compliance with the CMMC. The CMMC offers the DoD an instrument to enforce the current Defense Federal Acquisition Regulation Supplement (DFARS) requirements (DFARS clause 252.204-7012) in your contracts. Functionally, the CMMC is based on various standards, such as ISO 27001:2013, but has the highest degree of coverage with the “National Institute of Standards and Technology Special Publication 800-171”, the current standard for the protection of “controlled unclassified information” (CUI ).

The Procurement Office of the DoD will enter into each contract and assign CMMC level. The level is assigned according to the requirements for system security and process maturity, which the body deems necessary, to protect the information and its systems.
The CMMC consists of 17 domains with a total of 171 “Cybersecurity Controls”, which are distributed over the five maturity levels.

What to do when my organization is working on the requirements from DFARS or NIST SP 800-171?
Organizations that already meet the requirements of NIST SP 800-171, are in a good position to look after certification of the CMMC Level 3. 130 controls are congruent with those of NIST SP 800-171; however, there are still 20 different controls in CMMC Level 3 added…

Domains added:
• Identification, classification – Identification of information
• Storage and analysis
• Audit Logs
• Event management
• Incident management
• Storage of backup data and Perform recovery tests
• Conducting code reviews In software development
• Cyberthreat Intelligence Management
• Network security
• Implementation of DNS filtering
• Use of email security (Spam filter, encryption, etc.)

How should organizations prepare for the CMMC?
If you are currently working with the DoD or will do so in the future structured preparation is essential. Even if still not everything about the CMMC is finalized, so many are already central Information and requirements are available on the DoD’s publications. The information are sufficient to prepare for the expected finalization of the framework in autumn 2020 to prepare.

With this in mind, we recommend the following steps over the coming weeks and months initiate:

• Identification of the information that is subject of the DoD contract and their complementary Processes, Systems and Applications. Consolidation this to reduce the “compliance footprint”.
• If you use CUI or “covered defense information” (CDI) yourself and already meet the requirements from DFARS which you need to follow, you should focus on at least one.
Set up for Level 3 certification.
• Carry out a detailed gap analysis to determine the current level of maturity and identify any gaps.
• Develop a roadmap to get the gaps structured close.
• As a subcontractor, you should look after your customers approach and find out whether this is already received information regarding CMMC.

How can JJK Consulting support your organization?
• analysis of information, processes and systems to identify the scope
• Assessments to determine the current degree of maturity and any gaps
• Development of a roadmap to fill gaps in a structured manner close & enable a higher degree of maturity
• Establishment of “security controls” and processes based on the required level

Our cybersecurity experts will be happy to support you.

March 25, 2021