U.S. Department of Defense: CMMC 2.0 Cybersecurity Certification Required!
As of September 2020, a new cybersecurity certification has been put into effect by the U.S. Department of Defense (DoD). This certification called CMMC (Cybersecurity Maturity Model Certification) applies to all DoD contractors, subcontractors, and suppliers, regardless of their industry or location (USA, Canada, or anywhere else).
The 2020 CMMC version is known as CMMC 1.0 and had 5 levels of certification. After a pilot phase, it became clear that the process was cumbersome and needed to be simplified. So we moved to CMMC 2.0 with 3 levels of certification. The new process is lighter and especially accessible to SMEs, which is good news.
Reminder of the CMMC certification objective
CMMC certification was designed to enable the U.S. Department of Defense to ensure that its contractors, subcontractors, and suppliers are taking reasonable and adequate cybersecurity measures to protect the information entrusted to them in the course of their business relationship. These are:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
A very rigorous certification
One of the unique features of CMMC is that it is much more rigorous than most cybersecurity certifications on the market. For example, not all cybersecurity firms can accompany an organization through the CMMC certification process. Only authorized firms can do so.
To qualify, a cybersecurity firm must go through an authorization process that includes background checks, competency checks and expertise checks. Through this process, the U.S. Department of Defense ensures that quality professional guidance will be provided to organizations seeking CMMC certification.
Streamscan has gone through this rigorous qualification process and we are a CMMC Registered Provider Organization (RPO). We are officially authorized to accompany organizations in their CMMC process.
Determining the level of CMMC certification
The level of CMMC certification you need depends on the information you access as part of your relationship with DoD.
- If you only access Federal Contract Information (FCI) you will need a CMMC Level 1 certification. This applies even if you are a subcontractor to a DoD direct contractor.
- If you are accessing Controlled Unclassified Information (CUI), you must have at least a CMMC Level 3 certification.
The level of CMMC certification required will be indicated in DoD RFPs. You can also deduce it based on the type of information you are accessing (CFI = CMMC Level 1, CUI = at least CMMC Level 3).
However, the information may be omitted from the DoD RFPs. If in doubt, you should contact DoD to confirm the CMMC level required for a given RFP.
Reminder of CMMC Levels, Domains and Practices
CMMC includes 171 practices from 17 domains of cybersecurity. These practices are divided into 5 levels of certification with associated process maturity levels.
Level 1 / Basic (17 practices met): Selected practices are documented when required.
Level 2 / Intermediate (72 practices met): All practices concerned are documented.
Level 3 / Good (130 practices met): the practices concerned are documented, reusable and maintained.
Level 4 / Proactive (156 practices met): relevant practices are documented, reusable and maintained. Activities are reviewed and measured.
Level 5 / Advanced / Progressive (171 practices met): relevant practices are documented, reusable and maintained. Activities are reviewed and measured. The method becomes a standard that is used by all divisions of the company.
CMMC: the 17 areas covered!
- Access control
- Information Asset Management
- Audit and accountability
- User awareness and training
- Systems configuration management
- User identification and authentication
- Response to cybersecurity incidents
- System maintenance
- Protection of media and information storage media
- Personnel security
- Physical security
- Recovery and backups
- Risk management
- Security assessment
- Situational awareness (operational security, security monitoring, and cyber threat hunting)
- Systems and communications protection
- System and information integrity
Is there a link between CMMC and NIST 800-171?
Yes, CMMC Level 2-5 includes NIST 800-171 requirements as well as additional requirements.
How can StreamScan help you in your CMMC compliance process?
Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.
Our cybersecurity experts are available to assist you in your CMMC compliance process.
The first step in our intervention is to help you identify the required CMMC certification level and the scope of your certification. We then perform a gap analysis to highlight your current strengths and weaknesses as well as the gaps and practices to be implemented to reach the required CMMC certification level. With our support, you can then make the necessary corrections to comply with CMMC.
Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.