Cybersecurity Maturity Model Certification (CMMC)
Readiness Assessment Services
24By7Security offers Cybersecurity Maturity Model Certification (CMMC) readiness services for defense contractors.
In upcoming months, the Department of Defense will require that all defense contractors and suppliers doing business with the DoD comply with CMMC standards. In response to increased and constantly evolving cyber threats, the Department of Defense has established this new security measure to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other national security related sensitive data on systems and networks owned by defense contractors.
The CMMC model has five levels.
Get a head start and prepare for CMMC compliance with 24By7Security
The 24By7Security team is experienced in preparing organizations for cybersecurity audits, regulatory compliance, and certification readiness. Certification readiness and preparation are the most arduous part of the certification process. We can guide your organization through this process in the most efficient and cost-effective manner.
Starting in November 2020 a number of select DoD RFPs will include a requirement that all bidding contractors must meet a minimum of Level 1 CMMC certification to qualify. These certification requirements will continue to be phased in over the next several years until it is a prerequisite to bid on any contract with DoD. The best way to comply with these requirements is to follow the path to CMMC as outlined in this diagram.
1. Gap Assessment - We can help you identify the gap between your current state and the CMMC level you wish to be meet.
2. Remediation - We can help you with preparing your remediation plan and in following through on your remediation activities and implementation of changes.
3. Audit and Certification - This is when it's time to hire a C3PAO (Certified Third Party Assessment Organization), undergo and audit and work with the C3PAO to get certified in the desired level.
4. Optimization - Once certified, you should plan to be on a path of continuous improvement and optimization of your operations.
Our Services for CMMC Readiness:
In order to remain qualified as a DoD contract bidder, we can assist you with the following pre-certification efforts:
- Gap assessment between your current state and CMMC requirements
- Remediation Roadmap to address any gaps
- Assistance with remediation as needed
- Policy and procedure preparation
- Vulnerability Assessments, Penetration Testing and other services as may be required
What are the 5 Levels of CMMC?
In time, all defense contractors will be required to achieve at minimum Level 1 certification.
There are five levels of maturity within the CMMC model, beginning with Level 1 (“Basic Cyber Hygiene”) and culminating with Level 5 (“Advanced/Progressive”). The levels are cumulative, meaning that organizations wishing to achieve a certain CMMC level must satisfy all requirements for the preceding levels. Failure to meet any single item required for a given level will result in an organization being certified at the level below it.
To reach any given level, organizations must satisfy the required processes and practices specified for that level.
According to Version 1 of CMMC, here’s what is required at each of the five levels:
- Level 1 - Basic Cyber Hygiene: This level focuses on the protection of FCI and requires that organizations comply with the basic safeguarding requirements in 48 CFR 52.204-21. Process maturity is not assessed at this level.
- Level 2 - Intermediate Cyber Hygiene: Level 2 is a transition step from protecting FCI to protecting CUI and is the first stage at which organizations must establish and document practices and policies to guide CMMC implementation. Organizations wishing to achieve Level 2 certification must comply with all requirements of Level 1 and a subset of the requirements in NIST SP 800-171.
- Level 3 - Good Cyber Hygiene: Building on Level 2, Level 3 requires that organizations have a plan for ensuring practices are implemented and focuses on the protection of CUI. To achieve Level 3 certification, and organization must meet all of the security requirements of NIST SP 800-171 and other standards including DFARS clause 252.204-7012.
- Level 4 - Proactive: In Level 4, organizations must review and measure the degree to which their practices are effective, and must put in place practices to protect CUI from advanced persistent threats (APTs). This involves compliance with Draft NIST SP 800-171B along with additional cybersecurity best practices.
- Level 5 - Advanced/Progressive: Organizations that achieve Level 5 certification will have standardized and optimized process implementation across their organizations and put in place practices that increase the depth and sophistication of their protection from APTs.