The Cybersecurity Maturity Model Certification (CMMC) is a set of voluntary standards that provide Federal contractors and grantees with a framework to protect their systems and data from Cyber threats. The CMMC was created by the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security in response to Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The CMMC provides a 5-level maturity model that organizations can use to assess their Cybersecurity posture and identify areas for improvement.
The CMMC maturity model is composed of 17 capabilities, which are grouped into 5 levels of increasing maturity: Basic Cyber Hygiene, Foundational, Intermediate, Good Cyber Hygiene, and Advanced/Progressive. Here’s a look at each of the 5 levels:
- Basic Cyber Hygiene: The Basic Cyber Hygiene level includes the 17 Cybersecurity capabilities that organizations must implement to meet the Cybersecurity requirements of Federal contracts.
- Foundational: The Foundational level builds on the Basic Cyber Hygiene level and adds 8 additional Cybersecurity capabilities.
- Intermediate: The Intermediate level builds on the Foundational level and adds 10 additional Cybersecurity capabilities.
- Good Cyber Hygiene: The Good Cyber Hygiene level builds on the Intermediate level and adds 11 additional Cybersecurity capabilities.
- Advanced/Progressive: The Advanced/Progressive level builds on the Good Cyber Hygiene level and adds 12 additional Cybersecurity capabilities.
To achieve CMMC compliance, organizations must first complete a Cybersecurity Maturity Model Certification self-assessment. This assessment will identify the Cybersecurity capabilities that the organization has in place and the maturity level of those capabilities. Once the self-assessment is complete, the organization can then begin working towards achieving compliance with the CMMC standards.
The CMMC is designed to be flexible, so that organizations can tailor their Cybersecurity programs to meet their specific needs. CISA plans to pilot the CMMC in 2019 with a select group of Federal contractors and grantees. Once the pilot is complete, CISA will make the CMMC available to all Federal contractors and grantees.
The CMMC is voluntary, but CISA encourages all Federal contractors and grantees to use the CMMC to assess their Cybersecurity posture and identify areas for improvement. Cyber threats are constantly evolving, and it is important for organizations to continuously update their Cybersecurity programs to keep pace with the latest threats. The CMMC can help organizations do just that.
If your company is a Federal contractor or grantee, you should consider becoming CMMC compliant. The Cybersecurity threats that organizations face today are more sophisticated and persistent than ever before, and it is important to take steps to protect your systems and data. The CMMC can help you do just that. For more information on the CMMC, visit www.ironedgegroup.com.