CMMC Assessement

The Cybersecurity Maturity Model Certification (CMMC) Assessment

On November 4, 2021, the Department of Defense announced the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program, marking the completion of an internal program assessment led by senior leaders across the Department. The enhanced “CMMC 2.0” program maintains the program’s original goal of safeguarding sensitive information while also;

Simplifying and clarifying the CMMC’s cybersecurity regulations, policies and contracting requirements.
Channeling the most advanced cybersecurity standards and third-party assessment requirements towards organizations who provide support for the highest priority programs.
Increasing Department of Defense’ oversight of professional and ethical standards.

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB and has three key features;

Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels.

Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

Evolution of the CMMC: In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts).

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

Safeguard sensitive information to enable and protect the warfighter
Dynamically enhance DIB cybersecurity to meet evolving threats
Ensure accountability while minimizing barriers to compliance with DoD requirements.
Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience.
Maintain public trust through high professional and ethical standards.

STREAMEDLINED MODEL

Focused on the most critical requirements:

Streamlines the model from 5 to 3 compliance levels

Aligned with widely accepted standards:

Uses National Institute of Standards and Technology (NIST) cybersecurity standards

RELIABLE ASSESSMENTS

Reduced assessment costs:

Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments

Higher accountability:

Increases oversight of professional and ethical standards of third-party assessors

FLEXIBLE IMPLEMENTATION

Spirit of collaboration:

Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification

Added flexibility and speed:

Allows waivers to CMMC requirements under certain limited circumstances

Rulemaking and Timeline for CMMC 2.0-

The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway by giving consideration to the following 5 mechanisms:

CMMC Implementation (Five Steps to Make Your Company More Cyber Secure)-

Educate people on cyber threats-

Most cyber incidents start because of user error. Educate people about the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches

Implement access controls-

Limit information systems access to authorized users and the specific actions that they need to perform.

Authenticate users-

Use multi-factor authentication tools to verify the identities of users, processes, and devices.

Monitor your physical space-

Escort visitors and monitor visitor activity, maintain audit logs, and manage physical devices like USB keys.

Update security protections-

Make sure to download the latest security patches when new releases are available. Always double check to make sure they are coming from a trusted source