CMMC (Cybersecurity Maturity Model Certification)
What is CMMC (Cybersecurity Maturity Model Certification)?
CMMC
is the US Department of Defense (DoD) response to increasing
cybersecurity and compromises of sensitive data across the defense
industrial base. The first revision of the CMMC was on January 31st,
2020, and has since expanded into 5 levels to cover a wide array of
guidelines and security measures to take to decrease the risk of
breaches as well as best practices for securing your infrastructure. In
reality, it will encompass over 300,000 companies in the supply chain
as it begins to roll out.
Auditors are
currently being trained to begin officially inspecting and certifying
small businesses in the coming months, who wish to continue doing work
of the defense sector directly or indirectly down the supply chain.
Smaller companies pose the biggest risk of being attacked due to having
less resources to combat cyberattacks. CMMC's purpose is to decrease
those risks industry wide.
While CMMC does
not require a GAP Assessment or a POAM, it does require a system
security plan. Regardless, we highly recommend making use of the GAP
Assessment portion where applicable and still fleshing out your
weaknesses and milestones (POAM), as it makes for a more fluid
experience and better tracking to determine your vulnerabilities when
implementing CMMC. For a prime to bid on a contract, their suppliers
must also meet in full, the CMMC Level requirement called for in the
contract. This is why it's imperative that even the smallest of
companies determines the level they need to implement in order to
continue working with their customers.
NUDG in
it's current form covers CMMC level 1 through level 3. 4 and 5 are
anticipated to only impact a very small fraction of companies, so we
have chosen at this time to focus on the three primary levels prior to
adding Level 4-5 identifiers.
What level of CMMC do you need?
CMMC Level 1:
There are 17 CMMC Practices/Controls that cover level 1. Level 1 is
your basic security hygiene, the bare minimum security requirements
needed to work as a supplier. CMMC Level 1 covers ~15% of the NIST SP
800-171 CUI controls. This level is reserved for companies that do not
possess CUI data, but do possess Federal Contract Information (FCI), and
likely will only encompass the very smallest of contractors. The
controls in CMMC level 1 may be performed in an ad-hoc manner, and may
have little documentation due to no process maturity being required for
level 1.
CMMC Level 2: There are 72
Practices/Controls that cover Level 1 and 2. Level 2 is your more
intermediate security hygiene. It requires that the organization
establish and document all 72 practices and policies to implement this
level. It covers ~59% of the NIST SP 800-171 CUI controls, and
introduces the process maturity model for implementation. The
organization is expected to document operating practices and strategic
plans of their cybersecurity program
CMMC Level 3: There
are 130 Practices/Controls that cover Level 1, 2, and 3. Level 3
demonstrates strong cyber hygiene. Organizations that require access to
CUI should strive to achieve Level 3. CMMC Level 3 covers 100% of the
NIST SP 800-171 CUI controls plus an additional 20 Practices/Controls.
Satisfaction of CMMC Level 3 does NOT mean you are NIST 800-171
Compliant. Please refer to the NIST 800-171 help article to determine
the additional items needed by NIST SP 800-171. CMMC Level 3 adds a
large amount of resource tracking, incident response, and consistent
review of policies and procedures. It is our recommendation that any
companies using NUDG should strive to get as close to Level 3 as
possible, regardless of your size, as it opens up avenues to bid, or
work with companies that bid, on nearly all contracts.
While
you can fill out CMMC directly from the family identifiers, we have
also sorted it by levels to help separate the controls. Some companies
may decide the best option is to complete a level by moving on. That is
entirely up to you and what makes the most sense.
The
identifiers are tied to the families, any information input or
implemented in the Quadrant will be applied within the Family Policy as
well. Each level of CMMC requires the level before it to be satisfied
to completely that level. For example, to completely CMMC Level 2, you
will need to complete all 17 identifiers in Level 1, and all 55
identifiers in Level 2 for a total of 72 identifiers
(Practices/Controls, to be CMMC Level 2 compliant.
Related Articles
Reporting Features
The entire NUDG system is made up of hundreds of reports, everything from the reference and mapping of the Identifier card itself, as well as the Quandrant. NUDG itself is the report, and ideally upon request, we can issue a "read only" account for ...Gap Assessment
The GAP Assessment is required by NIST only. It's a subset of questions to determine your overall security posture, and is a good starting port for any company doing a self assessment, or MSP that is trying to determine the current status of a client ...NUDG Introduction
Welcome to NUDG Systems. This guide is meant to give you a brief overview of how we recommend starting your journey on cyber security compliance. While there's no right order to manage things, setting up the foundation correctly at the beginning can ...NIST SP 800-171
What is NIST SP 800-171? NIST SP 800-171 refers to the National Institute of Standards and Technology, and specifically the special publication 800-171. It's had multiple revisions over the years, and came as a surprise to small and mid size ...Users, Groups, & Roles
Users, Groups, & Roles, similar to Inventory and Partners, are optional but available in the system. You should be familiar with users and groups if you've ever worked with Active Directory. They are the most important part of your infrastructure ...