CMMC Compliance and What You Need to Know

The Department of Defense is now using the Cybersecurity Maturity Model Certification (CMMC) V1.0, standard as a determinant for awarding contracts. Following the much anticipated release of the CMMC in January, many contractors are hastening to improve their security standards. If your organization has not yet engaged in CMMC preparation activities, you are falling behind. But don’t fret – Qmulos has you covered!

Why Should I Care?

One of the biggest takeaways around the new certification is that non-defense companies must now show compliance with the practices and processes set forth by the CMMC Model. Therefore, it is conservatively estimated that 200,000-350,000 contractors, including custodial companies, bookkeepers, caterers, and small IT firms, will need to hold a CMMC certification.

This new model follows the Pentagon’s conclusion that one of their greatest cybersecurity risks comes from the second and third-tier DoD contractors. Now, when it comes to awarding contracts, cybersecurity will be the “fourth critical measurement,”along with quality, cost, and schedule.

So, what exactly is the CMMC and what are the certification requirements?

The CMMC measures the maturity of an organization’s cybersecurity processes and practices across five levels covering seventeen domains, as shown in Figure 1, below.  The domains are broad categories of critical security functions such as Access Control, Identification and Authentication, Incident Response, etc. These should sound familiar, as they come directly from the NIST 800-53 control families.  The seventeen domains are further broken down into 43 more granular security capabilities and 171 best practices.

The 5 CMMC Levels and Coinciding Process and Practices

Each level specifies a set of processes and practices that must be implemented across the domains. Furthermore, the levels build on each other. Thus, in order to achieve a higher CMMC level, your organization must demonstrate compliance in the lower levels first. The levels range from very basic safeguarding of Federal Contract Information to continuous monitoring with optimized practices and efficient processes.

The table below summarizes the focus and requirements of each level.

Level Focus Process Requirements Practice Requirements
1 Safeguard Federal Contract Information (FCI) Requires that an organization performs the specified practices. Implement 17 practices to provide Basic Cyber Hygiene.
2 Transition step to protect Controlled Unclassified Information (CUI) Requires that an organization establish and document practices and policies Implement the 17 Basic Cyber Hygiene practices. Plus, an additional 55 practices for a total of 72 practices to provide Intermediate Cyber Hygiene.
3 Protect CUI Requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. Implement all the practices from Levels 1 and 2. Plus, an additional 58 practices for a total of 130 practices to provide Good Cyber Hygiene.
4 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires that an organization review and measure practices for effectiveness. Implement all the practices from Levels 1, 2, and 3. Plus, an additional 26 practices for a total of 156 practices to provide Proactive cybersecurity practices.
5 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires an organization to standardize and optimize process implementation across the organization Implement all the practices from Levels 1, 2, 3 and 4. Plus, an additional 15 practices for a total of 171 practices to provide Advanced/Progressive cybersecurity practices.

In short, CMMC covers a broad set of domains, including a comprehensive set of policy, procedure, management and technical controls. These controls must be implemented and assessed regularly. Qmulos created the sortable spreadsheet below with all the discrete capabilities and practices required at each level. Use it to assess your organization’s present maturity level.

A Screenshot of the Excel Document of CMMC Levels, Domains, Capabilities, Practices and Processes
Spreadsheet can be downloaded here or below

So, How Can Qmulos Help?

Understandably, you might be feeling a little overwhelmed after seeing all of those detailed requirements. However, there is no need to worry. Qmulos’ Splunk premium apps, Q-Compliance and Q-Audit are purpose-built to streamline and automate complex cybersecurity requirements like CMMC. Q-Compliance is built upon the same standards and best practices adopted by CMMC. We further enhanced it with features specifically for CMMC. Subsequently, Q-Audit provides prescriptive, out-of-the-box auditing capabilities to meet ICS 500-27. The ICS 500-27 standard will satisfy many of the practice requirements from the CMMC Audit and Accountability domain.

Additionally, we align specific security controls with the domains, capabilities, and practices from CMMC. We leverage real-time log and event data from Splunk to automate the assessment and scoring of your organization’s practices against the CMMC maturity levels. Furthermore, we codified industry best practices into the application workflow, enabling your organization to institutionalize and optimize processes to improve your cyber posture. Not to mention protect sensitive information such as Federal Contract Information and Controlled Unclassified Information.

Stay tuned to learn more about how Qmulos can simplify your CMMC efforts.

, , , , ,