CMMC Consulting Services – Cybersecurity Maturity Model Certification

CMMC stands for “Cybersecurity Maturity Model Certification”. Version 1.0 was released on January 30th, 2020. The CMMC model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of the information to be protected and the associated range of threats. The model consists of maturity processes and cybersecurity best practices from
multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community.

CMMC was developed under the guidance of the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) along with DoD stakeholders and other entities.

The goal of CMMC is to protect these two types of information:

  1. Federal Contract Information: Information provided by or generated for the government under contract not intended for public release.
  2. Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 (Classified National Security Information) or the Atomic Energy Act, as amended.

Federal Contract Information:

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (CUI)

Federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, or other reasons pursuant to and consistent with law, regulation, and/or Government-wide policy. Historically, each agency developed its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch in which similar information might be defined and labeled differently, or where dissimilar information might share a definition and/or label, depending on the agency which originally created the information.

The Controlled Unclassified Information (CUI) program represents an unprecedented initiative to standardize practices across more than 100 separate US departments and agencies; State, local, Tribal and, private sector entities; academia; and industry, to enable timely and consistent information sharing, and to increase transparency throughout the Federal government and with non-Federal stakeholders.

CMMC encompasses basic safeguarding requirements of federal contract information specified in FAR 52.204-21 and NIST SP800-171 per DFARS Clause 252.204-7012.

In the past, DoD (sub)contractors could fill out an attestation form and that was enough to signify their adherence to protecting CUI. With CMMC, a formal certification element is added to verify the implementation processes and practices associated with the achievement of a cybersecurity maturity level. This means there is no more self-attestation. Companies must do what they say and third-party CMMC auditors will be the judge of whether companies are acting securely according to CMMC.

CMMC is hierarchical in nature:

CMMC hierarchy

If you need assistance, have questions or are looking for CMMC consulting services, please don’t hesitate to contact us.

Relevant Links: