What is the CMMC?

The CMMC, or Cybersecurity Maturity Model Certification, was created by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to enhance the cybersecurity of contractors and sub-contractors in the supply chain.

They have released a video to help explain it: https://www.dvidshub.net/video/912871/cybersecurity-maturity-model-certification-cmmc-proposed-rule-overview

Who does it apply to?

All contractors and subcontractors of the Department of Defense.

How do I get certified at Level 2?

An accreditation body is enlisting assessment companies today. Visit the CMMC-AB marketplace to find an assessment organization.

Do I have to pay for an assessment?

Yes, Level 2 assessments must be paid for. The exact cost depends on where CUI is stored, if you are using cloud services, and the number of locations which an assessor will have to visit. Be sure to shop around!

What is the NIST SP 800-171 DoD Assessment Score, or Supplier Performance Risk System (SPRS) score?

The DoD has developed a scoring rubric as part of their NIST SP 800-171 Assessment Methodology dated June 24th, 2020. The Security Catapult as part of your CMMC assessment will generate a SPRS score and SPRS assessment report from your answers. Scoring starts at 110 points, and you subtract 1, 3, or 5 points from your score for each missing practice. There is no partial credit, and yes ,you can have a negative score. Note that CMMC has adopted this scoring system as part of the assessment process. Pay special attention to the “5 point” practices!

What are CMMC Domains?

The CMMC specifies 14 cybersecurity groupings of practices (or controls). This is for organizational purposes, but also serves as a grouping for your security plans and policies.

What are Practices?

The CMMC Practices may be referred to as controls in other frameworks. Here is where you find the thing that needs to be done. There are 110 total different Practices for Level 2.

Do I have to implement every Practice?

The practices you need to implement are dependent on what Maturity Level you wish to achieve. Maturity Level Maturity Level 1 has 17 required practices, Level 2 has 110, and level 3 has not been determined yet, but will be based upon NIST SP 800-172.

How do I write a Policy?

Every organization should have a leadership approved policy backing up their Cybersecurity efforts. Create a description of a practice which has been put into place and is required by the organization. The organization may want to group Policies by Domains. Policies must be approved by a leadership position, management team, or Board. Policies must be reviewed and a revision history noted.

The CMMC Catapult will prompt you to answer questions about your Practice implementation, and generate Policies on the fly!

If this seems like a lot, it is! Your organization may be overwhelmed implementing all of the practices, and not have the time to create all the documentation needed to achieve the required process maturity. The CMMC Catapult will create policies and plans on the fly, and give you tools to record your implementations. Contact us now!

How do I write a System Security Plan?

Designed at the Domain level, this describes how you are implementing the practices within each applicable capability in your organization. It includes details such as staffing, training, funding, and tools implemented. It may feel redundant to your policy, and in some cases it may be. Where a policy may be generic in the terms of what is required (All workstations have anti-virus), the Plan will be specific (all workstations have 'Product Name' installed>).