Wednesday, January 20, 2021

Cybersecurity Maturity Model Certification(CMMC)

     Cybersecurity Maturity Model Certification is a topic i heard about just last week. I was aware of CMMI model which more on capability maturity model and my first company was CMMI5 certified. I starting reading on CMMC as i work on security space and its something i should know. I made some notes and thought of putting it on my blog.

What is a Maturity Model?

Maturity models are a collection of best practices, the degree of adherence to which progresses organizations along a scale from lower levels of adoption or “maturity” to higher levels of aptitude and certification. Certifying to a maturity model means that a company or organization has committed itself to improving its processes and practices within a model’s domains to a sustainable, measured level of high performance.

What is the Cybersecurity Maturity Model Certification?

Cybersecurity Maturity Model Certification is a program initiated by the United States Department of Defense (DoD) in order to measure their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. At a high level, the framework is a collection of processes, other frameworks, and inputs from existing cybersecurity standards such as NIST, FAR, and DFARS.

At a tactical level, the primary goal of the certification is to improve the surety and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal contractors. The CMMC program was announced on January 31, 2020, but took effect on Sept2020

Why was CMMC created?

The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

Why is CMMC needed?
  • Applies to Department of defence prime contractors and subcontractors
  • Applies to some new contracts starting in 2020 and applies to all contracts beginning in 2026
  • The progressive model covers advancing levels of cybersecurity processes and practices resulting in a certification level
  • Contractors must start at level 1 and certify at each level all the way to the top level 5