What is NIST / CMMC?

 

On November 30, 2020, the Department of Defense (DoD) issued an interim rule to strengthen cybersecurity throughout the Defense Industrial Base (DIB). The new rule applies to all contracts that include DFARS 252.204-7012. Under the new rule, such companies must conduct a self-assessment of their NIST SP 800-171 compliance and submit the results through the Supplier Performance Risk System (“SPRS”). This new rule also lays out the requirements for the CMMC standard, which will soon be a requirement for all DoD contracts.

The CMMC (Cybersecurity Maturity Model Certification) v1.0 framework was released January 31, 2020.  It focuses on the security and resiliency of the DIB according to the OUSD (A&S) and the DoD. The official CMMC rollout will occur over several years to encompass all contracts and suppliers.

The Structure of CMMC

 

CMMC measures security at 5 levels, from Basic Cyber Hygiene to Advanced/Progressive Cybersecurity.

Processes

Practices

Level 5

Optimizing Advanced/Progressive

Level 4

Reviewed Proactive

Level 3

Managed Good Cyber Hygeine

Level 2

Documented Intermediate Cyber Hygeine

Level 1

Performed Basic Cyber Hygeine

This standard contains 17 domains. Each domain contains a set of processes and capabilities that apply throughout the 5 maturity levels.

17 Domains

Access Control
Asset Management
Audit & Accountability
Awareness & Training
Configuration Management
Identification & Authentification
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Recovery
Risk Management
Security Assessment
Situational Awareness
System & Communication Protection
System & Information Integrity

Source: CMMC Model v1.0 Approved for Public Release

CMMC Practice Progression

 

Most small businesses that handle CUI (Controlled Unclassified Information) will require Level 3 certification. Level 3 encompasses the entirety NIST SP 800-171 plus another 20 practices.

Level 1

17 Practices

 

  • Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
Level 2

72 Practices

 

    • Comply with the FAR
    • 48 practices from NIST SP 800-171r1
    • 7 additional practices for intermediate cyber hygiene.
Level 3

130 Practices

 

  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171r1
  • Includes an additional 20 practices to support good cyber hygiene
Level 4

156 Practices

 

  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171r1
  • Includes 11 practices from Draft NIST SP 800-171B
  • Includes an additional 15 practices to demonstrate a proactive cybersecurity program
    Level 5

    171 Practices

     

      • Comply with the FAR
      • Encompasses all practices from NIST SP 800-171r1
      • Includes 4 practices from Draft NIST SP 800-171B
      • Includes an additional 11 practices to demonstrate an advanced cybersecurity program

        Source: CMMC Model v1.0 Approved for Public Release

        blank

        With CORE’s platform, training and consultants we were able to succeed in a short time and gain a level of understanding and structure we otherwise would never have been able to accomplish.

        Anne Mills on BirdEye

        blank

        The certification process was easy and painless. Suzanne Weber-Smatko did an excellent job of preparing us for the audits and we were certified with no findings.

        -Elizabeth Meighan on BirdEye

        blank

        C&C International was indeed very pleased with the Core training we’ve recently received. Suzanne Weber-Smartko and Norman Verbeck provided very good support and direction. We are very much satisfied with CORE.

        Bill James on Google

        blank

        The Core Solutions team was excellent to work with and made the ISO preparation tolerable. I highly recommend the services of the Core Solutions.

        -Paul Amalfitano on BirdEye

        blank

        Thanks to the CORE team and especially Bruce Newman for a great experience achieving our company’s first ISO certification.

        -Flip Crummer on Facebook

        Level 1

        17 Practices

        • Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21

        Level 2

        72 Practices

          • Comply with the FAR
          • 48 practices from NIST SP 800-171r1
          • 7 additional practices for intermediate cyber hygiene.

        Level 3

        130 Practices

        • Comply with the FAR
        • Encompasses all practices from NIST SP 800-171r1
        • Includes an additional 20 practices to support good cyber hygiene

        Level 4

        156 Practices

        • Comply with the FAR
        • Encompasses all practices from NIST SP 800-171r1
        • Includes 11 practices from Draft NIST SP 800-171B
        • Includes an additional 15 practices to demonstrate a proactive cybersecurity program

        Level 5

        171 Practices

        • Comply with the FAR
        • Encompasses all practices from NIST SP 800-171r1
        • Includes 4 practices from Draft NIST SP 800-171B
        • Includes an additional 11 practices to demonstrate an advanced cybersecurity program

        Source: CMMC Model v1.0 Approved for Public Release

        Consulting Support for CMMC Compliance

        Core Business Solutions is a CMMC Registered Provider Organization with several Registered Practitioners on staff. That means we’re officially recognized by the CMMC Accreditation Board as trustworthy implementation experts.

        For smaller DoD contractors, CMMC might seem like a complex burden. But we’re here to handle the complicated parts so you can focus on your business.

        At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).

        We also assist you in your guided self-assessment. We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget.

        Our consulting plans also include the CORE Security Suite to help you implement CMMC practices and maintain certification going forward.

          Interested? Get a Free Quote.

          Related Standards

          We also provide consulting support for companies seeking multiple certifications through an Integrated Management System.

           

          ISO 9001

          Quality Management Systems

          ISO 27001

          Information Security Management Systems

          ISO 20000-1

          Service Management Systems

          ISO 9001

          ISO 27001

          ISO
          20000-1

          For more information about compliance, please call our consulting office at 866-354-0300 or contact us online.

          Smartlink Execution Complete Please note that the CORE Application window may have fallen behind this window and your Email client. Close this Message