What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) was developed by the U.S. Department of Defense (DoD) to establish cybersecurity standards that defense suppliers must adhere to when handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- The CMMC defines five cybersecurity maturity levels.
- The DoD sets a minimum maturity level certification as a requirement for suppliers to bid on a contract.
- CMMC maturity level certifications will be conferred by a certified third-party assessor.
- The CMMC Accreditation Body (CMMC-AB) was formed to design and oversee the certification process of all third-party assessors.
It is frequently possible for a pen tester to gain remote access to operating systems, application logic and database records. Through active exploitation of direct and interconnected systems, Nettitude can provide strategic guidance on risk and tailored advice on counter measures
CMMC Readiness: Pre-Assessment in 6 Steps
1. Prior to assessing an organization’s CMMC readiness, the organization must determine the maturity level that it wants to be certified for. This first step is a struggle for many organizations. Through focused conversations with organizational leadership about the composition of their business and their longer term aspirations, our consultants help our clients identify the appropriate maturity level for their business.
2. After establishing the desired CMMC maturity level, the next hurdle is gauging the scope of effort required to reach this objective. Here’s where many enterprises stumble, because it’s unfamiliar territory. The byzantine nature of federal mandates can be disorienting to even the most clear-headed organizations, so it’s hard to know where to start. Our extensive experience helping clients navigate constantly changing regulatory landscapes enables us to plot the most direct course to your goal.
3. The actual journey begins with Nettitude delving into the client’s current data risk exposure. This understanding comes from learning about the nature of the data a client processes, the purpose they put it to, where the data resides, what methods are used to transmit the data and knowing who touches that data.
4. We then dig into your organization’s existing operational documentation. By immersing ourselves in a client’s policies, procedures, asset inventory, network diagrams, we gain insight into the organization’s strategy and tactics for protecting its information assets.
5. From there, we look to get a sense of the reality on the ground through interviews of data owners and technical practitioners. During these interviews, our consultants assess the individual’s understanding and application of current information security policies in their particular role. These interviews will also explore the individual’s perception of their role as a data steward and to what extent the responsibilities of data stewardship conflict with their operational objectives. Heavy points of emphasis in interviews of technical practitioners will be on enumerating the toolset they rely on as well as evaluating the effectiveness of their data protection methods.
6. Upon completion of interviews, our consultants will have a strong understanding of the organization’s current capabilities. Comparing current capabilities against required practices of the targeted CMMC maturity level will identify the gaps the organization needs to close in order to achieve certification for that particular maturity level. Beyond identifying these gaps our consultants will provide practical recommendations on closing on each of these gaps.
To ensure the suitability of the end product, we fully align our project to the CMMC standard. But, to ensure a proper fit to the organization, Nettitude conducts an exhaustive preliminary analysis of the scale of the organization and its data risk exposure. The result of this analysis is a project that fully addresses a client’s objectives in the most efficient manner.
With the preliminaries out of the way, we roll up our sleeves and start digging into your organization’s operational documentation to ensure that we ask informed questions in our interviews. Our clients appreciate that we’ve done our homework, because it means less handholding for them. They also like that we run tight meetings with clear objectives and are willing to work around their busy schedule.
In conducting their research, our consultants capture their observations in Nettitude’s proprietary reporting tool. Like so many Nettitude offerings, this tool is the result of a team effort where our experts established criteria and metrics that are the foundation of intuitive and informative graphics that provide high visibility into areas of risk.
Our investment of time and effort into laying a sound foundation for our pre-assessments, yields quicker turnaround for reports. However, our emphasis on timely reporting is not at the expense of quality. Nettitude reports are structured to serve both executive leadership and technical teams. All of our reports undergo a rigorous internal review. Executives receive a concise Executive Summary of the project’s purpose and findings supplemented by graphics. Technical teams are provided a detailed table of findings with actionable recommendations organized by CMMC domain. Clients can easily incorporate this table into a risk register to track progress in closing gaps as they work their way towards CMMC certification.
The table below identifies all 17 CMMC domains with the 5 CMMC maturity levels (with a single word descriptor for the particular maturity level). The CMMC model is structured by domain. Each domain is itself divided by maturity level so that the required practices for a particular maturity level fall under that maturity level’s heading. To process CUI an organization will need to achieve CMMC Level 3 certification at minimum.
NOTE: CMMC practice requirements are cumulative as the maturity level increases. For instance, to achieve Level 3 certification, an organization must not only meet all Level 3 practice requirements but also the requirements of Levels 1 and 2.
Can Nettitude confer certification for any of the CMMC Maturity Levels?
No. At this point, no organization can provide certification. The CMMC Accreditation Body (CMMC-AB) has not yet trained its first class of CMMC assessors.
What is Controlled Unclassified Information (CUI)?
CUI is information created by (or on the behalf of) the U.S. Federal Government that non-governmental entities are permitted to handle on the condition that the data is handled in accordance with a particular law, regulation or government policy. There is an extremely broad range of forms of CUI. For this reason, CUI is broken down by Organizational Index Grouping and then further broken down by CUI Categories. Defense is an Organizational Index Grouping.
How many CUI Categories are there for the Defense Organizational Index Grouping?
There are 4 Categories for Defense. However, when working for the DoD, an organization may handle CUI that falls under other Organizational Index Groupings (e.g. Procurement and Acquisition, NATO, Intelligence, etc.).
What CMMC maturity level will our organization need to be certified in?
The answer to this question depends on the nature of the work your organization intends to conduct on behalf of the DoD. The definitive answer will be provided by the DoD in their RFIs and RFP’s which will set a minimum maturity level requirement to be considered for the work.
Are DoD sub-contractors subject to CMMC?
If the sub-contractor processes CUI, then they will be subject to CMMC requirements.
How does NIST 800-171 tie into CMMC?
All NIST 800-171 rev1 security requirements are covered in CMMC Levels 1 through 3.
What is the difference between CMMC and NIST 800-171?
While there is a high degree of overlap between CMMC and NIST 800-171 there are two key points of departure. First, CMMC also incorporates control practices from NIST 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2, amongst others. Second, CMMC goes beyond a self-assessment approach to assurance, and requires certification by an accredited Third Party Assessor.
What steps should my organization be taking now?
Your organization first needs to determine the maturity level it will target. From there use the CMMC model to assess your organization’s current practices against the practice requirements of that maturity level.