The Cybersecurity Maturity Model Certification (CMMC) aims to protect America’s Defense Industrial Base (DIB),and is a long-awaited approach that follows on years of attempts to unify cybersecurity practices for Department of Defense contractors. Weapons, aircraft carriers, and planes might be the first thing you think of, but the Department of Defense (DoD), and its supply chain heavily rely on information technology infrastructure and the exchange of Controlled Unclassified Information (CUI).
You may know that the DIB has a not-so-pleasant history of failing to secure this information from our adversaries’ prying eyes. Diverse digital platforms, while useful, present novel challenges due to their heterogenous nature. The CMMC addresses this by creating standardization in a welcomed maturity-based approach that doesn’t treat every organization like a federal military installation. Compliance with the requirements at each target maturity level is the focus as it starts with protecting Federal Contract Information (FCI) at CMMC Level 1, and seeks to protects CUI at CMMC Level 3.
Organizations Seeking Certification (OSC) are the prime and sub-contractors providing goods and services to the DoD under Federal Contracts When CMMC becomes official sometime in 2022, these organizations must earn a certification at their target level, or they will no longer be able to do business with the DoD or the primes. Target levels are determined by the types of information processed, stored, and/or transmitted by an OSC and will be communicated in the contracts for the primes, or by the primes to their subcontractors. If you’re only working with FCI, for instance, then your target is CMMC Level 1, and there are just 17 basic cybersecurity practices you must demonstrate as implemented in your organization to earn the certification. Demonstration is achieved during and official CMMC Assessment conducted by certified assessors working for any one of the Certified Third-Party Assessor Organizations (C3PAO). Each certification is good for three years, at which time another assessment will be conducted to keep the certification current.
The framework for the CMMC adopted the security requirements specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and added 20 CMMC-specific practices across the first three maturity levels. Presently, only the first three CMMC levels will be assessed. As mentioned, Level 1 target is for OSCs managing FCI, whereas Level 3 revolves around management of CUI. Level 2 acts as a bridge between the two and prepares contractors with future plans for the handling of CUI. Level 2 also sees the introduction of Process Maturity in the form of written procedures and policies. At Level 3, a comprehensive System Security Plan is also required.
Unlike NIST SP 800-171, the CMMC will not allow self-certification. Full compliance at Level 3 spans 17 security domains covering topics from access control to physical security and inherited from the granddaddy of frameworks the NIST SP 800-53. 130 practices in their totality will determine if plans are established and maintained, control procedures are performed, documented, managed, and sufficient cyber hygiene is executed so that CUI will be adequately protected.
Glossary
FCI: Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
CUI: Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended
Reference
Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB). CMMC Appendices V1.02, March 2020
All content © 2023 Monarch ISC
V-ISO is our most engaged and complete service offering at Monarch ISC. You select the components, and we execute an annualized program acting as an outsourced member of your internal team.
This package may include everything we offer, or any of several sets of core program components. We bundle your choices, provide privileged pricing, and schedule our year together to build the program foundations. Once the foundations are built, we move into Sustainability Mode, still providing whatever level of engagement you choose.
What’s included?
Our highly effective policies and plans are currently in-force at banks, credit unions, healthcare facilities, and DoD contractors. Our careful iterative process ensures your organization is understood before the writing begins. Your policies and plans need to express actual practices, not some templatized check-box fantasy that bears little resemblance to your unique organization.
We will work with you to create a new Information Security Program, or dramatically improve your existing program or any component to include:
Monarch ISC Information Security Program documents have undergone two-decades of regulatory and audit scrutiny, passed every test, and set the standard. They are the bedrock on which you will build your information security program.
People are your weakest link. We deliver effective training to any organizational group to strengthen the whole chain, from end-users, to IT Professionals, to Board of Directors, and every level in-between. Everyone must gain awareness and develop the skills needed in their roles to make an organization resilient to adverse events and incidents.
Our live instructor-led training sessions:
Engage us to follow-up the training with phishing email test campaigns to measure the effectiveness of our training too! We’re confident you’ll see results!
BUY NOW, Contact Us or Schedule Consultation Today
You made sure your Electronic Medical Record (EMR) system was HIPAA-compliant. Did you know that is just the first step in making your practice HIPAA-compliant?
You take great care of your patients, and you know that means taking great care of your patients’ sensitive personal data, too. But complying with the federal Health Insurance Portability and Accountability Act (HIPAA) can be as complicated as some of the things you learned in medical school.
Monarch Information Security Consulting understands what the law demands of you and your practice, can evaluate what you need to do to meet those expectations, and will create a customized and easy-to-understand plan for you to achieve complete HIPAA compliance and get back to caring for your patients with confidence.
Our consultants have over 40 years of experience in identifying, evaluating, and remediating HIPAA compliance. We take the time to get to know you and your organization, and we create a comprehensive map of your entire data flow. We pinpoint your vulnerabilities and infractions, we provide a smart, straightforward plan to achieve sustainable, HIPAA compliant data security, and we stand by you and our work in the event of an audit.
The FFIEC Cybersecurity Assessment Tool measures the maturity of your financial institution’s information security program. The tool helps define your current inherent risk profile and assess your compliance status across the security domains.
It can be a daunting exercise to complete.
We can help!
Our experts work with your team to complete the assessment and document any gaps in compliance. We will build a timeline for remediation, and can assist with training, risk assessments, policy building, business continuity exercises, board reporting, and more. Our work will fill the gaps and increase your maturity level.
The Cybersecurity Maturity Model Certification (CMMC) has been released!
The certification will be required for all Department of Defense contractors AND sub-contractors. Audits will begin in 2020. The audit timelines and the list of approved auditors have not been released.
Special Note: DoD Guidance for self-assessment scoring has been updated! You will need to provide your self-assessment (Basic) of the NIST 800-171 guidance to the Supplier Performance Risk System (SPRS). The system is online NOW! Do you know your score?
NOW is the time to start the certification process, so contact us for a free consultation.
For many organizations this is a strange new world. Data security requirements have been in place for banks, merchants accepting credit cards, and healthcare organizations, but never have manufacturers and other government contractors with unclassified information faced this type of scrutiny.
This can be an overwhelming amount of work.
The certification domains cover a wide variety of topics from Asset Management to System and Information Integrity. You will need to implement the correct controls, write the appropriate policies, and keep track of your compliance activities in preparation of an audit. Failure to be certified will mean thousands, or millions, of dollars in lost government contracts.
Monarch ISC can help.
