Request Demo

DFARS

What is the Cybersecurity Maturity Model Certification

down-arrow

Created In Response to the Evolving Threat Landscape

The United States’ Department of Defense supply chain is one of the most critical to both national security as well as the protection of the individuals in the armed forces. Regardless of where contractors sit in that supply chain, security is critical to avoid intellectual property theft or worse sabotage from bad actors.

With the rise of digital technologies that many contractors have embraced to increase efficiency and enable business growth has come new threat surfaces. The DFARS clause that went into effect in 2018 was the DoD’s first stake in the ground, indicating that members of the military-industrial complex must be held to a standard of security to protect the nation. The self-certification process though proved too unwieldy to track and verify.

Recognizing that there needed to be more structure than the self-certification of compliance with NIST SP 800-171, the Department of Defense began developing what would become the Cybersecurity Maturity Model Certification (CMMC).

What Is The CMMC?

In developing the CMMC, the DoD recognized that not all contractors have the bandwidth to develop security programs on par with a prime and nor should they have to. Recognizing that contractors’ security should be dependant on the form and caliber of controlled unclassified information (CUI) that they are working with, the CMMC is a tiered model. Ranging from Tier 1 (Basic Cyber Hygiene) to Tier 5 (Advanced/Progressive), the levels are designed to enable vendors to meet the requirements necessary for the contract they are bidding for rather than having to invest in unnecessary requirements meant for a higher bid.

The CMMC has been developed in partnership with academia (Johns Hopkins and Carnegie Mellon) and industry leaders in the form of a listening tour and draws from a library of standards and frameworks, including NIST SP 800-171 and the NIST Cybersecurity Framework.

The Cybersecurity Maturity Model Certification introduces new terminology to classify what most information security practitioners will recognize as categories, control families, and controls. In the CMMC, one will recognize what are called “Domains” as categories and subcategories from NIST SP 800-53:

From there, each Domain has a collection of “Capabilities” that bear resemblance to control families in other frameworks like SP 800-171 and the CSF. Finally, the capabilities have specific “Practices and Processes” associated with them and security leaders can see these as more granular controls.

Tips to Proactively Meet The CMMC

For most vendors, the CMMC tiers are the biggest concern. Given that they are the heart of the certification, the tiers are critical to proactively meeting the CMMC requirements. The Tier-level certification requirements for a given contract will be included in the RFI and subsequent RFP.

From our intel in the field, we have been able to glean that most contract requirements in the supply chain will fall in Tier 3 and below. Primes will be responsible for achieving Tier 4 and 5 certifications.

Our recommendation to proactive defense contractors is to start working towards Tier 3 compliance. Based on the timeline given Office of the Under Secretary of Defense for

Acquisition & Sustainment, we anticipate that Tier 3 and below are at least in their semi-final (if not final) stages and contractors can start working towards the requirements.

We have good news if you are pursuing Tier 3 compliance - if you have used CyberStrong to achieve DFARS compliance, we have identified only 19 Processes/Practices (controls) that are referenced from frameworks outside of NIST SP 800-171. We also support Tier 3 Processes and Practices in CyberStrong.

 

 

You may also like

Cybersecurity Maturity Model ...
on May 1, 2020

Why DFARS / NIST SP 800-171? A few years back, the United States Department of Defense (DoD) released a new regulation, a Defense Federal Acquisition Regulation Supplement, or ...

Dashboards are the Future of ...
on April 29, 2020

In today’s business climate, digital transformation efforts are becoming increasingly prioritized. As a result, we are seeing information security officers being consulted in more ...

GRC Software and the Impact of ...
on April 27, 2020

In recent years, the use of integrated risk management (IRM) as a methodology has become widely adopted to help orchestrate and centralize business continuity and functionality. ...

What is GRC
on May 6, 2020

Governance, Risk, and Compliance before GRC The idea of Governance, Risk Management, and Compliance (GRC), has been fundamentally integrated into the idea of how a business should ...

Cybersecurity Maturity Model ...
on April 23, 2020

The Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC) is the newest iteration of the DoD’s effort to protect controlled unclassified information ...

Tools for expanding NERC CIP ...
on April 13, 2020

Scaling the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements across an enterprise can be a daunting task. ...