CMMC and What You Need to Know

Following the much anticipated final draft of the Cybersecurity Maturity Model Certification (CMMC) V1.0, released January 31st, 2020, many contractors are hastening to improve their security standards. If your organization has not yet engaged in CMMC preparation activities, you have fallen behind the pack. Within the next few months, the Department of Defense will begin using the CMMC audit standards in determination of awarding business.

One of the most overarching aspects of the new certification is that even traditionally non-defense companies will need to show compliance with the practices and processes set forth by the CMMC Model. It is conservatively estimated that 200,000-350,000 contractors, even custodial companies, bookkeepers, caterers, and small IT firms will need to hold a CMMC. This follows from the conclusion Pentagon officials reached that one of their greatest cybersecurity risks derive from the second and third-tier contractors who work in tandem with the DOD. With this in mind, when it comes to awarding business, cybersecurity is set to be the “fourth critical measurement” for business, behind quality, cost, and schedule.

So what exactly is the CMMC and what are the requirements for certification?

The CMMC measures the maturity of an organization’s cybersecurity processes and practices across five levels covering seventeen domains, as shown in Figure 1.  The domains are broad categories of critical security functions such as Access Control, Identification and Authentication, Incident Response, etc. much like the control families from the NIST 800-53 security controls standard.  The seventeen domains are further broken down into 43 capabilities and 171 practices, essentially more granular security controls.

Figure 1: Maturity Levels and Domains of the CMMC

Each level specifies a certain set of processes and practices that have to be implemented across the domains.  The levels build on each other, and thus in order to achieve a higher CMMC level, your organization must demonstrate compliance in the preceding levels. The levels range from very basic safeguarding of Federal Contract Information, to continuous monitoring with optimized practices and efficient processes.  The table below summarizes the focus and requirements of each level.

Level Focus Process Requirements Practice Requirements
1 Safeguard Federal Contract Information (FCI) Requires that an organization performs the specified practices. Implement 17 practices to provide Basic Cyber Hygiene
2 Transition step to protect Controlled Unclassified Information (CUI) Requires that an organization establish and document practices and policies Implement the 17 Basic Cyber Hygiene practices, plus an additional 55 practices for a total of 72 practices to provide Intermediate Cyber Hygiene
3 Protect CUI Requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. Implement all the practices from Levels 1 and 2, plus an additional 58 practices for a total of 130 practices to provide Good Cyber Hygiene
4 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires that an organization review and measure practices for effectiveness. Implement all the practices from Levels 1, 2, and 3, plus an additional 26 practices for a total of 156 practices to provide Proactive cybersecurity practices
5 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires an organization to standardize and optimize process implementation across the organization Implement all the practices from Levels 1, 2, 3 and 4, plus an additional 15 practices for a total of 171 practices to provide Advanced/Progressive cybersecurity practices

Qmulos has created a sorted and filterable spreadsheet of all the discrete capabilities and practices required at each level that you can use to assess your organization’s maturity level. 

A screenshot of a cell phone  Description automatically generated
Spreadsheet can be downloaded here or below

As you can see, CMMC covers a broad set of domains with a comprehensive set of policy, procedure, management and technical controls that need to be implemented and assessed regularly.  If you’re feeling a little overwhelmed after reviewing all of those detailed requirements, not to worry – our Splunk premium apps Q-Compliance and Q-Audit are purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements like CMMC. Q-Audit provides prescriptive, out-of-the-box auditing capabilities that satisfy many of the practice requirements from the CMMC Audit and Accountability domain.  Q-Compliance is built upon the same standards and best practices that the CMMC has adopted and we have enhanced it with features specifically for CMMC.  We align specific security controls with the domains, capabilities, and practices from CMMC and use real-time log and event data from Splunk to help you automate the assessment and scoring of your organization’s practices against the maturity levels defined in CMMC.  In addition, we have codified industry best practices into the workflow of the application that will help your organization institutionalize and optimize the processes that improve your cyber posture and protect sensitive information such as Federal Contract Information and Controlled Unclassified Information.

Stay tuned for more details on how Qmulos can help you with CMMC assessments.

Introducing the Dynamic Control Architecture

Organizations are often faced with requirements for compliance against multiple frameworks, standards, or regulations. Qmulos’ Enterprise Compliance (Q-Compliance) application, powered by Splunk, has a Frameworks Dashboard feature that enables organizations to score themselves against other frameworks using the NIST 800-53 controls catalog as the common Rosetta Stone across these other frameworks. In the Spring Release, Q-Compliance takes this flexibility to the next level with the introduction of the Dynamic Control Architecture.


The Dynamic Control Architecture will enable Q-Compliance to integrate controls from multiple standards beyond NIST 800-53 such as GDPR, HIPAA, PCI and even custom controls. Now organizations can automate compliance against multiple standards down to the individual control level independent of any mappings. Compliance against those multiple standards can be automatically assessed against a single source of truth, the events in the Splunk indexes, using a vast and growing library of reusable components for analytics and visualizations. In addition, these analytics and visualizations for technical control evidence can be added or changed dynamically through a simple plug-and-play interface allowing for easy customization.

Happy Fifth Anniversary!



I can’t believe it, but Qmulos is celebrating our Five-Year Anniversary!  I couldn’t be more excited about our clients, our team, and our future.  I don’t usually like to talk about ourselves, I prefer to let our customers to do the talking for us, but I’d like to make an exception, just this once.

We started with an idea and a passion to change how cyber compliance gets done and what it could mean to overall security if it was done right.  We used to share the belief, one that many security practitioners still hold, that compliance is a complete waste of time and money and doesn’t actually improve security.  People even started calling it “risk management” to get away from the negative connotations of “compliance” but this didn’t actually change anything.  CISOs I have worked with in virtually every industry have essentially been forced, due to fear of audit findings, to spend untold millions on armies of people to generate paperwork, issue data calls, fill-in static spreadsheets, and upload “evidence” into extremely expensive legacy GRC tools, where they spend many more millions to show auditors how “secure” they are and how well they are managing risk.  Sadly, this had been going on for 30 years and we felt it was finally time for a change.

What we realized when we started the company was that implementing a set of thoughtful security controls, the underpinnings of cybersecurity compliance, and monitoring them in near-real time, is extremely valuable to improving real security.  The only bad thing was the way this was being done.  Out of necessity, since it was the best technology available, compliance was implemented using relational databases.  The Gartner Quadrant for IT-GRC is littered with legacy vendors promoting this type of approach.  The problem is that this architecture does not provide the vital flexibility and adaptability necessary to do compliance in a valuable way.  Compliance, or, real-time risk management, requires a method to keep up with a large volume of constantly changing disparate data from various tools, operating systems, and devices across your IT infrastructure to inform security personnel and system owners about the real-time status of their security controls and systems.

We solved this problem by building the first, as far as we know, integrated risk management (IRM) solution on top of the world’s leading big data platform, Splunk!  As a result, we’ve come full circle to understand that compliance (e.g. monitoring a comprehensive set of security controls), when done on big data, is VITAL to real security.  To understand the value, just look at the security controls within the NIST RMF Catalog (NIST SP 800-53).  These controls have been defined over many years, are updated frequently, and cover virtually every threat.  What does that mean?  Well, if you can implement and monitor this holistic set of security controls in near real-time, you will likely have the best security program on the planet- the exact opposite of a complete waste of time and money!

Qmulos has realized the dream of Information Assurance professionals at all levels across the Globe.  We have disrupted the legacy compliance market and are enabling CISOs around the country to realize that doing “compliance” on top of big data is the best way to dramatically improve operational security.  We are enabling CISOs to finally bring together their operational security budgets and resources with their compliance budgets and resources and align them toward one common goal – better security.  At Qmulos, we holistically define what you need to monitor (breadth of security controls), enable you to do so accurately (automation), in a timely manner (near-real time), and on a flexible platform (Splunk) that adapts to constantly changing environments in hours instead of months.

I am very proud of how far we’ve come, very appreciative of all of our forward-thinking customers and partners who immediately saw the value of our “new paradigm” of compliance on big-data, and very grateful for our dedicated team of super-humans, thanks Qmulites!  The future is limitless as we continue to help others realize the value of doing compliance and risk management in a way that improves security!

Qmulos Announces Participation at Splunk .conf2017 and Fall 2017 Release of Q-Compliance

Arlington VA – September 25, 2017 – Qmulos, a Splunk Technology Alliance Partner, today announced the Fall 2017 release of Qmulos Enterprise Compliance (Q-Compliance) to help customers streamline and automate IT compliance activities in alignment with the NIST Risk Management Framework (RMF).

Designed to automate, integrate, and provide continuous monitoring of all categories of security controls, the solution includes support for all four types of IT compliance evidence (Policies & Procedures, Human Activity, Technical, and Ad-Hoc Queries), built on the Splunk® platform.

Q-Compliance leverages the Splunk platform to transform compliance activities into actionable security value, connecting previously siloed compliance and security functions towards a common goal.  Qmulos Enterprise Compliance helps users of Splunk Enterprise uncover the value of compliance automation. Qmulos’s compliance experts will be at Splunk .conf2017 in Booth G6 to demo the solution, and an online preview is available here.

Highlights of the solution include:

  • Unlimited Multi-Tiered Organization Hierarchies
  • Support for System and Enterprise Level Risk Management Assessments derived from SCAP (Security Content Automation Protocol) validated tools
  • Out-of-the-box and custom overlay development templates
  • Integrated POAM management support
  • Role-based dashboards for executives, ISSOs, and compliance staff
  • “Measure once, Report Many” for leading Frameworks – support for reporting against frameworks and mandates to include NIST SP 800-53r4 Control Instrumentation, NIST RMF and CSF automation, HIPAA, DFAR CUI (NIST SP 800-171) Requirements, SANS/CAG 20 Critical Controls, FedRAMP, CJIS, and others.

“IT Audit and Compliance automation is an investment that pays for itself, not only in savings, but in improving a customer’s actual security posture,” said Matt Coose, CEO and founder of Qmulos.  “Leveraging the Splunk platform enables IT data to be repurposed for compliance and audit use cases, cybersecurity investigations, and even preparing board-level presentations, enabling enterprises to more easily gain value from their data.”

“As organizations continue to undergo digital transformations, it’s important to leverage the data needed for security and compliance to deliver business insights, automation controls and value to the boardroom,” said Haiyan Song, senior vice president and general manager of Security Markets, Splunk. “Qmulos is a great example of a Splunk partner providing unique compliance expertise to enable that capability for our mutual customers.”

“By 2020, 100 percent of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is up from today’s 40 percent,” noted Gartner in the March 2016 report How to Build an Effective Cybersecurity and Technology Risk Presentation for Your Board of Directors by Paul Proctor, Jeffrey Wheatman, and Rob McMillan.