Learn how to prepare for CMMC certification
The Cybersecurity Maturity Model Certification (CMMC) program is a set of standards all organizations must meet to bid on or renew contracts with the United States Department of Defense (DoD) contracts. CMMC applies to DoD contractors and subcontractors.
DoD released CMMC model version 1.0 in January 2020, with the anticipation it would appear in all requests for information (RFIs) in June 2020 and then in all requests for proposals (RFPs) by fall 2020. Version 1.02 was released in March. It is not retroactive for existing contractors; however, if your organization wants to bid on new contracts or renew an existing contract, you must be CMMC-certified.
In this CMMC fundamental page, we’ll walk you through some key points about the Cybersecurity Maturity Model Certification program, including what it is, who needs CMMC certification, and steps you can take to build your CMMC framework and work toward CMMC certification.
Created by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).
The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. CMMC standards apply to contractors and subcontractors wanting to bid on DoD projects.
CMMC is an extension of the Controlled Unclassified Information (CUI) program, a program the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.
CUI standards are guided by a framework from the National Institute of Standards and Technology (NIST), NIST SP 800-171, which creates minimum standards for how organizations handle CUI information in non-federal information systems.
The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).
Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.
To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.
You can find the CMMC framework in the Apptega cybersecurity and compliance management platform. With Apptega, you can easily identify which CMMC certification level is appropriate for your organization and use predefined controls to build your framework and conduct an initial readiness assessment.
Reach your CMMC compliance goals by using Apptega to:
If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified.
If you’re unsure, answer the following questions:
It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher) based on your relationship. Likewise, if you use contractors or subcontractors related to a DoD contract, those contractors and subcontractors should also be CMMC certified. Also, even if your organization doesn’t access CUI, but you have access to FCI, you should be CMMC-certified.
DoD contractors must be certified at least at CMMC Level 1; however, more advanced cybersecurity measures may be required based on the nature of your organization and contractual agreement. We’ll go into more detail in another section below, but the five core CMMC certification levels are Level 1: Perform, Level 2: Document, Level 3: Manage, Level 4: Review, and Level 5: Optimize.
Because of the increasing number of cyber threats across all industries, and especially those emanating from foreign bad actors, the DoD’s Defense Industrial Base (DIB) is in the crosshairs for cyber attackers.
Since 2018, DoD contractors and subcontractors have been expected to meet NIST 800-171 compliance standards and take steps to protect all non-classified protected information as part of the government’s Controlled Unclassified Information (CUI) program. While many organizations developed their own security practices to safeguard CUI, overall, there was no common framework for holding organizations accountable. For this reason, the government released CMMC v1.0 in early 2020.
Drawing on NIST 800-171, the CMMC standards also pull from other frameworks best practices including NIST 800-53, ISO 27031, and ISO 27032. Together, they encompass a unified set of security standards that cover 17 domains from access control to system and information integrity.
CMMC requirements are expected to be included in all Requests for Information (RFIs) and Requests for Proposals (RFPs) from the Department of Defense for new contracts and renewals in 2020, so now is the time to build your CMMC framework to ensure you’ll ace that audit when it’s time to get your certification. Apptega can help. Apptega can help you effectively manage and report on your CMMC compliance.
In this on-demand video, you can learn more about how Apptega can help you:
Apptega can help you manage your Cybersecurity Maturity Model Certification framework and other cybersecurity frameworks all in one platform. Using Apptega Harmony, you can even crosswalk your frameworks, for example, NIST 800-171 and CMCC.
Apptega key features:
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
The Cybersecurity Maturity Model Certification consists of 171 practices spanning five CMMC certification levels. Level 1, Perform, is the lowest CMMC level and covers basic cyber hygiene practices. Levels 2-5 are designed to mature your cybersecurity practices ranging from implementation of immediate cyber hygiene to advanced and progressive practices.
All CMMC levels, processes, and practices are cumulative beginning at Level 1. DoD will list CMMC level requirements in each RFI and RFP.
In the CMMC Compliance Domains and CMMC Capabilities sections below, we’ll take a deeper dive into the practices and processes related to each level. Before we do, we've provided a high level overview in the CMMC Certification Levels section below.
CMMC certification sets five core levels for compliance. Every DoD contractor and subcontractor should meet at least Level 1, which covers basic hygiene and will likely be applicable to many smaller contractors. Larger, more sophisticated projects will likely require higher certification levels, like Levels 4 and 5, which demonstrate highly-matured and well-documented cybersecurity practices to protect CUI. But what happens for mid-sized contractors? How do you know which certification level is right for the contract you’re interested in? Check out this blog to explore some of the benefits and risks related to CMMC.
Read More
Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for certification. You can even use it to map your existing NIST 800-171 practices to your CMMC certification goals. This new standard may affect more than 300,000 organizations, so if you’re one of them, you’ll want to have access to great tools that can help you develop your framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time. Check out this post to learn more about how Apptega can help you be confident in your CMMC compliance strategies and have clear insight into how you’re doing at any time.
Read More
If you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.
Watch Now
There are more than 20 major cybersecurity frameworks out there today, so how do you know which is right for your organization? How do you know which ones are complementary or can be mapped to one another? Check out this on-demand webinar to learn more about: How some of the more common frameworks are used; Similarities between popular frameworks; and How to manage frameworks for compliance.
Watch Now
