CMMC: Understanding What the DoD Is Looking For

CMMC: Understanding What the DoD Is Looking For


In the form of Controlled Unclassified Information (CUI), sensitive digital information is becoming more readily available and handled by more individuals within a more significant number of organizations than ever before. This includes groups that exist both as federal departments and private companies that contract with the federal government.  

With cyberattacks and cyberthreats, in general, becoming more prevalent and more parties handling, distributing, and processing CUI at lightning speed, it’s critical that this data is proactively protected. In this environment, there are bound to be vulnerabilities when human interaction is involved. Thus, a detailed plan regarding processes and procedures of how to deal with and mitigate potential threats is crucial.

The Department of Defense (DoD) agrees and has turned the focus on CMMC.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is designed to provide a unified standard for implementing cybersecurity protocols across the Department of Defense’s (DoD) defense industrial base or the roughly 300,000 organizations within their supply chain. 

Before the announcement of CMMC, the contractors that make up the defense industrial base DIB were responsible for implementing, monitoring, and certifying the security of their information technology systems and any sensitive DoD information stored on those systems. 

While contractors are still responsible for implementing and adhering to cybersecurity requirements, CMMC takes things a step further, mandating third-party assessments of a contractor’s compliance and processes to combat growing cyber threats.

Which CMMC Level Is Right for Your Organization?

There are 5 levels of CMMC certification that a company can achieve, each conveying a different layer of maturity reached and reliability in practice for a businesses’ cybersecurity process. Each level takes a tiered approach and builds on the one before its technical requirements. With a critical need to protect vulnerable government information, the defense industrial base will need to consider each tier carefully. 

An overview of the relevant processes for each level breaks down like this: 

Level 1 – Basic Cyber Hygiene. At this level, an organization must demonstrate the very basics of cybersecurity in consistent practices. For example, using antivirus software or requiring employee password changes regularly. 

Level 2 – Intermediate Cyber Hygiene. An organization must have documented processes for protecting any Controlled Unclassified Information (CUI), or in other words, any information that law, regulations, or policy requires safeguarding. 

Level 3 – Good Cyber Hygiene. Here, a company has an institutionalized management plan to implement and maintain best practices for protecting CUI, including all NIST 800-171 Revision 2 requirements and additional standards. 

Level 4 – APT. At this level, an organization must have processes in place for measuring and analyzing the effectiveness of their current cybersecurity system, in addition to established practices to identify and respond to advanced persistent threats (APT). APT is defined as “is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attacks.” 

Level 5 – Optimized. At this point, a company must achieve organization-wide standardization, implementation, and optimization of its cybersecurity management plan, processes, and best practices.

How Do You Get Started?

The Smithers Quality Assessments Division is committed to and ready to support your company’s initiatives in reaching CMMC and improving your cybersecurity protocols. For more insights, please take a look at our CMMC Companion Guide, or if you have any questions, reach out to our cybersecurity expert.

 

Download our CMMC Companion Guide below:

How can we help?

Cancel
Show Policy

Learn More

Latest Resources

See all resources