What is CMMC?
The Cybersecurity Maturity Model (CMMC) is a US initiative lead by the Office of the Assistant Secretary of Defense for Acquisition within the Department of Defence (DoD). It builds upon existing regulation (DFARS 252.204-7012) that requires DoD contractors and subcontractors to safeguard information within the US supply chain using a self-certification method. The new risk management framework (RMF) adds a verification component that requires the employment of third-party auditors to conduct the audit and certification process. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision” when selecting suppliers.
Huntsman Security’s CMMC solution provides excellent coverage of the practices specified within CMMC requirements for both audit requirements and improvement of cyber hygiene.
A summary of CMMC requirements
The CMMC RMF provides a means of improving the alignment of maturity processes and cybersecurity practices with the type and sensitivity of information to be protected and the range of threats:
CMMC Maturity Levels
Suppliers who handle Controlled Unclassified Information (CUI) will need to be audited and obtain certification from a third-party auditor that appropriate maturity in processes and practices are being achieved.
The model consists of capabilities, processes and practices organised into a set of domains that are mapped across five maturity levels. The model is cumulative, which means that in order to achieve a desired maturity level, an organisation must also demonstrate achievement of the preceding lower levels. The 17 domains are summarised below. Full details can be found on the official government site here.
CMMC Domains Overview
About CMMC Levels
At each maturity level, organisations are required to comply with the nominated processes and practices.
CMMC Level 1 “Basic Cyber Hygiene”
Organisations are required to implement 17 specified practices. However, they may not rely on documentation, consequently they do not need to be audited.
CMMC Level 2 “Intermediate Cyber Hygiene”
Organisations are required to implement 72 (17+55) specified practices, plus establish and document practices and policies. Level 2 is regarded as a ‘progression’ stage where documentation is very much work in progress.
CMMC Level 3 “Good Cyber Hygiene”
Organisations are required to implement 130 (17+55+58) specified practices. They must also actively manage their established processes within detailed plans showing missions, goals, project plans, resourcing, training and inclusion of relevant stakeholders.
CMMC Level 4 “Proactive”
Organisations are required to implement 156 (17+55+58+26) specified practices. In addition to Level 3 process requirements, they must also review and measure practices for effectiveness.
CMMC Level 5 “Advanced / Progressive”
Organisations are required to implement 171 (17+55+58+26+15) i.e. all specified practices. In addition to Level 4 process requirements, they must standardise and optimise process implementation across the organisation.
When do suppliers need to comply?
CMMC version 1.0 became available in January 2020. From June 2020, the requirements form part of the DoD’s Request for Information. The new certification won’t be required for any contracts already signed, only new ones. The first solicitations mandating CMMC are due to come out in the third quarter of 2020. That means it will take some time to bring all contractors into compliance, as five years is the typical duration of many contracts.
How Huntsman Security meets CMMC requirements
If you are a certified auditor or you are looking to implement the framework’s requirements, Huntsman Security’s solution provides excellent coverage, as per the table below:
Huntsman Security’s coverage of CMMC Domains
In summary the Huntsman Security solution supports:
- 16/17 Domains (94%)
- 37/43 Capabilities (86%)
- 139/171 Practices (81%)
The solution includes operational controls directly, the monitoring of control operation and assurance (and regular reporting) of control effectiveness.
Mapping to the requirements
Download the Compliance Guide Overview to explore how Huntsman Security’s solution supports the certification process and improvement of cyber hygiene.
Find out more
You can request the full Compliance Guide or arrange to discuss your requirements with the Huntsman Security Engineering Team via the button below.