Cybersecurity Maturity Model Certification is a program initiated by the United States Department of Defense (DoD) in order to measure their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. At a high level, the framework is a collection of processes, other frameworks, and inputs from existing cybersecurity standards such as NIST, FAR, and DFARS.
At a tactical level, the primary goal of the certification is to improve the surety and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal contractors. The CMMC program was announced on January 31, 2020.
The CMMC details five security levels, ranging from basic cyber hygiene to advanced security operations.
- Level One: Basic Cyber Hygiene
- Requires organization perform a specified set of practices
- Consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
- Level Two: Intermediate Cyber Hygiene
- Requires organization establish and document practices and policies.
- Serves as a progression from Level 1 to Level 3, consists of security requirements specified in the NIST SP 800-171.
- Level Three: Good Cyber Hygiene
- Requires organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.
- Focuses on the protection of CUI (NIST SP 800-171 and DFARS clause 252.204-7012)
- Level Four: Proactive
- Requires that an organization review and measure practices for effectiveness and take corrective action when necessary.
- Focuses on the protection of CUI from Advanced Persistent Threats (APTs) and encompasses a subset of the enhanced security requirements from NIST SP 800-171B as well as other cybersecurity best practices.
- Level Five: Optimizing
- Requires an organization to standardize and optimize process implementation across the organization.
- Increase in the depth and sophistication of cybersecurity practices.
CMMC at Kremin Inc.
At Kremin Inc, we have been in the process of implementing and preparing for our CMMC verification since the announcement early this year. If your project requires a vendor with CMMC, please reach out to us for more information.