Cybersecurity Maturity Model Certification
CMMC Consulting Services
We’re experienced cybersecurity strategists and follow an approach founded in our industry experiences from both commercial and military sectors. We blend best practices from Big 4 audit & consulting and DoD information assurance programs. We understand what it takes to secure compliance, build a resilient cyber program while enabling productivity and success of the business. Our approach works for enterprises, mid-market, and small business. We’re here to give you confidence that your approach to cyber security thrives.
Our CMMC consulting & readiness approach:
Assess the organization against the CMMC level outlined
Identify the gaps to meet and areas of risk to address
Outline and create a roadmap to meet CMMC level
Develop the SSP and recommend implementations, technologies, & people needed
Support the organization through the CMMC audit process and eventual certification
The CMMC encompasses multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”
The CMMC model combines various cybersecurity control standards such as NIST SP 800-171 Rev. 1, NIST SP 800-172, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
The CMMC combines various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.
What we know about the CMMC levels and their respective requirements to pass their audit:
Level 1 – “Basic Cyber Hygiene” – The DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
Level 2 – “Intermediate Cyber Hygiene” – The DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
Level 3 – “Good Cyber Hygiene” – The DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 13 new “Other” controls.
Level 4 – “Proactive” – The DoD contractor will need to implement 11 controls of NIST 800-172 plus 15 new “Other” controls
Level 5 – “Advanced / Progressive” – The DoD contractor will need to implement the final 4 controls in NIST 800-172 plus 11 new “Other” controls
CMMC Assessment Guidance
An organization must demonstrate both the requisite maturity processes and the implementation of practices for a specific CMMC level and the preceding lower levels in order to achieve that level. For example, in order for an organization to be certified at Level 3, the organization must achieve all processes and practices at Levels 1, 2, and 3. For the case where an organization demonstrates different achievements with respect to maturity process and practice implementation, the organization will be certified at the level corresponding to the lower of the two.
The assessment guidance is structured by the 17 CMMC domains. For each CMMC process and practice, there is a defined assessment procedure. The CMMC assessment guide leverages the structure and content created in NIST SP 800-171A and defined there:
An assessment procedure consists of an assessment objective and a set of potential assessment methods and assessment objects that can be used to conduct the assessment. Each assessment objective includes a determination statement related to the CMMC practice or process that is the subject of the assessment. The determination statements are linked to the content of the CMMC practice or process to ensure traceability of the assessment results to the requirements. The application of an assessment procedure to a practice or process produces assessment findings. These findings reflect, or are subsequently used, to help determine if the practice or process has been satisfied.
Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system. Mechanisms are the specific hardware, software, or firmware safeguards employed within a system. Activities are the protection‐related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic). Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.
The assessment methods define the nature and the extent of the assessor’s actions. The methods include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence. The interview method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence. And finally, the test method is the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior. In all three assessment methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.
Department of Defense Focus for CMMC
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain. CUI training is required to meet CMMC levels and certification. Click here to explore online training options.
OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
The intent is for certified independent 3rd party organizations to conduct audits and inform risk.