CMMC Readiness Baseline
Cybersecurity Maturity Model Certification (CMMC) Baseline
As of August 15, 2024, the 48 CFR proposed rule is scheduled to be published in the Federal Register. This starts the public comment period of 60 days. For more information click here.
CMMC includes three maturity levels adding to the 110 security requirements in NIST SP 800-171 currently required under DFARS 252.204-7012. Maturity Level 1 is associated with organizations who pose the least risk and require a ”foundational” baseline security program. Maturity level 3 organizations pose the highest possible risk to national defense interests and therefore require the most rigorous ”expert” security program. Organizations that intend to bid on DoD contracts must show that the maturity of their CMMC certification supports the risk associated with the contract on which they intend to bid.
Risk is an undeniable factor in conducting business. Quantification of cybersecurity risk to determine potential impact compared to organizational Risk Appetite has proven to be problematic. Cyber threats continue to grow exponentially and represent one of the most significant operational risks facing modern organizations.
Framework Overview
In 2020 the Department of Defense (DoD) released additional details regarding the Cybersecurity Maturity Model Certification (CMMC). This framework ensures DoD contractors and suppliers have the appropriate cybersecurity framework and associated controls in place to protect data such as Controlled Unclassified Information (CUI), Federal Contact Information (FCI), and other valuable and/or critical data. The DoD is mandating this framework “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).”
CMMC Certification
In order to continue working for or bidding on projects with the DoD, organizations will be required to certify to CMMC. With any certification comes preparation – and some organizations may need months to prepare for these new requirements.
The Cyturus CMMC Readiness Baseline provides a methodology to not only identify cybersecurity business risks, but also to measure the cybersecurity risk across the entire business enterprise helping organizations prioritize goals and create strategies to make quantifiable improvements in their cybersecurity programs.
CMMC includes three maturity levels adding to the 110 security requirements in NIST SP 800-171 currently required under DFARS 252.204-7012. Maturity level 1 is associated with organizations who pose the least risk and require a baseline security program. Maturity level 2 focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2. Maturity level 3 organizations pose the highest possible risk to national defense interests and therefore require the most rigorous security program. Organizations that intend to bid on DoD contracts must show that the maturity of their CMMC certification supports the risk associated with the contract in which they intend to bid.
These elements make the model an easily scalable assessment for implementing the National Institute of Standards and Technology (NIST) Cyber Security Framework as well as preparation for CMMC certification. The CMMC Readiness Baseline deliverables will represent the results of an in-person interview-based assessment and evaluation of your Information Security Program. These results are then utilized to assist in identifying specific areas requiring improvement to reach the desired CMMC certification level as well as strengthen the cybersecurity program, prioritize cybersecurity actions and investments, and maintain the desired level of security throughout the IT systems life cycle.
Our CMMC Readiness Baseline
Our CMMC Readiness Baseline service is based on our proprietary Adaptive Risk Model (ARM) methodology. The Cyturus ARM identifies deficiencies, measures potential business impact, and recommends prioritized remediation actions across the entire enterprise. This service can be ingested into the Cyturus ARM framework for deeper examination and lateral impact as part of a future holistic engagement.
Is your organization prepared for the CMMC certification process? Do you need expert guidance in evaluating processes? Contact us to discuss your CMMC level of preparedness and begin to implement a framework and set of processes that will guide your organization to CMMC maturity.
Establish your CMMC readiness. Prepare for official certification
Know Your CMMC Level
Determine whether your business is a Level 1, 2 or 3 organization. Levels are assigned to organizations based on the risk they pose to the DoD and its mission.
Risk Evaluation
For Levels 2 and 3 organizations, CMMC requires a risk assessment. With Cyturus, a Registered Provider Organization, conducting your CMMC gap assessment, we can prioritize your risks and design controls that would be demonstrably reasonable against foreseeable risks.
Certification
After a beta testing period in 2020, the DoD and CMMC AB will select contractors to undergo CMMC certification. As a team, we will work with an auditor (C3PAO) to test your compliance with the new requirements. Upon completion of the certification, you will be permitted to respond to RFPs and to continue your contracted work with DoD.
Current Compliance Evaluation
If you are a DoD contractor who poses a risk to CUI you already have obligations to self-assess to NIST Special Publications 800-171. Additionally, CISO of the Office of the Under Secretary of Defense for Acquisition urges all contractors to achieve Level 1 compliance now. The Cyturus independent gap assessment will help you understand your current-state of compliance.
Remediation Game Plan
By developing a Plan of Action and Milestones (PoAM) and a System Security Plan, through your partnership with Cyturus, you can address your current NIST 800-171 requirements based on risk, and we can develop a roadmap toward your eventual CMMC certification.