Secure Your Business and Defense Contracts
Get backup from our team of security and compliance experts to prepare your organization for meeting CMMC standards.
Cybersecurity Maturity Model Certification
What is the CMMC?
Level up your security program to meet future DOD requirements
The Cybersecurity Maturity Model Certification is the government’s way of keeping tabs on the security of its potential defense vendors. It provides a mechanism for the DOD to ensure their vendors are ready to work with the department. It focuses on certifying the “maturity” and “capability” of each DOD vendor’s security processes, practices, and methods. It also helps set goals and priorities for them to make improvements. The DOD will add CMMC levels to each RFP, meaning vendors who don’t possess mature enough processes may not even be allowed to submit for that proposal.
How does FRSecure approach CMMC?
The CMMC is based off of industry standards that we already use in our unique risk assessment scoring methodology. Overlaying your risk assessment results to the five CMMC levels, your organization will quickly be able to see where it stands in each of the levels. Knowing what level you want or need to be at and how you scored there, we’ll look to see where the gaps in compliance are—and then provide you with a roadmap and dedicated security resource to make sure you get to that point by the time the requirements take effect.
Level 1 focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.
Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
Self-assessment will be allowed at this level.
Level 2 focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2.
Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date.
The CMMC was created by the US Department of Defense as a way to have more control over their vendor and contractor security.
The DOD is going to create 10 RFPs with CMMC requirements in June of 2020 and then will slowly roll them out to all RFPs by the year 2026.
If you’re a part of the DOD’s supply chain or if you’re a service provider for the DOD, this will need to be something you comply with. Every contract the DOD enters will eventually have CMMC requirements. It’s anticipated that 350,000 vendors down the supply chain of the DOD will be impacted by this.
Your CMMC requirements will depend on the type of contract you’re trying to participate in. With five levels of increasing security controls, it’s likely that the impact of the contract on the defense industry will decide which of the five levels you’ll need to comply with.
The CMMC model consists of 14 domains stemming from areas in Federal Information Processing Standards (FIPS) Publication 200, Federal Acquisition Regulation (FAR) 52.204-21., and NIST SP 800-171. CMMC also includes asset management, recovery, and situational awareness.
There are specific controls that will be assessed based on the CMMC Level. The best way to ensure compliance with the CMMC model is figure out which level your contract is likely to require, conduct an information security risk assessment that maps to the standards/controls, and then work on remediating the control gaps.