Are you a contractor or service provider who wants to work with the Department of Defence (DoD)? You’ll need to obtain Cybersecurity Maturity Model Certification (CMMC) first.
What is CMMC Compliance?
CMMC Compliance was enforced in response to the ever-growing number of cyber attacks. It is intended to protect data across all levels of the DoD and regulates both the processes and practices concerning data protection.
There are five levels of certification, each requiring a different set of standards for processes and practices. To receive certification in each level, you must meet each of the requirements within that level for processes and practices across not one, but 17 different domains. The domains are:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Levels of CMMC Compliance
Each of the five levels of certification builds on the last. Levels are based on the number of controls that have been implemented, as outlined in two documents published by the National Institute of Standards and Technology: NIST 800-171 rev1 and NIST 800-171 rev2. A certain number of controls outside of these documents are also required for certain levels.
The five levels are named as follows:
- Level 1 – Basic Cyber Hygiene
- Level 2 – Intermediate Cyber Hygiene
- Level 3 – Good Cyber Hygiene
- Level 4 – Proactive
- Level 5 – Advanced / Progressive
The level you need to meet will depend on the type of information your company processes, produces and receives. If your data is considered to be Controlled Unclassified Information (CUI), you will need to obtain at least a level 3 certification. If the CUI are deemed High Value Assets (HVA), you will need at least a level 4 certification, if not level 5.
If all the data your company handles is not considered CUI, you will likely only need a level 1 or 2 certification.
Who needs CMMC Compliance?
Regardless of the type of business you run, or the size of your company, if you intend to do work with the DoD, you will need CMMC Compliance. Because CMMC is relatively new, all current suppliers will have until 2025 to obtain the required certifications.
Even if you don’t have CUI, by working with the DoD, you’ll have Federal Contract Information (FDI), requiring CMMC compliance. Having this certification will also give you an edge over your competitors who may also be seeking partnerships with the DoD. You will also be rest assured that if a cyber attack does occur, your employee and customer data will be protected.
Getting Help with CMMC Compliance
Understanding whether or not your data meets CUI criteria and taking the necessary steps to obtain certification can be daunting for many business owners. Because obtaining CMMC is a costly and complicated procedure, it is essential that you are fully prepared for the process.
Companies specializing in IT services in San Antonio can assess your business and help you prepare.