Measuring Process Maturity of Your Cybersecurity System for the CMMC
The Cybersecurity Maturity Model Certification (CMMC), issued by the U.S. Department of Defense (DoD), aims to establish best practices for cybersecurity system standards and vendor evaluation. Published in January 2020, the CMMC is scheduled to go into effect June 2020. The CMMC assesses a vendor’s ability to protect Federal Contact Information (FCI) and controlled unclassified information (CUI). Both existing and new vendors will need to undergo external audits to measure their cybersecurity system practices and processes to determine maturity on a scale of 1 to 5. The cybersecurity maturity score evaluates a vendor’s technical practices (controls), ranging from basic cyber hygiene to advanced capabilities designed to repel threats. The CMMC model also measures what process a vendor is pursuing to maintain and improve its security operations.
All vendors must be certified to conduct business with the DoD. Your eligibility for new contracts with the DoD will be contingent on your CMMC level, which determines what type of information you are authorized to process, such as CUI. Requests for proposals (RFPs) will specify the necessary CMMC level required to bid on a contract.
While obtaining any certification level relies on a Certified Third-Party Assessment Organization (C3PAO), companies can prepare for an audit and evaluate their cybersecurity systems and processes through a self-assessment and program maturity checks. Preparing for this audit is essential: if your score does not meet DoD contract requirements, you may be ineligible for renewal or emerging DoD opportunities. The DoD is still finalizing audit guidelines but has established a CMMC Accreditation Body that is working to establish course material to train potential C3PAO’s.
Review Your Current Cyber Security Practices and Controls
The CMMC incorporates security categories and practices from NIST SP 800-171 rev. 1 and several practices from FAR Clause 52.204-21 and Draft NIST SP 800-171B, as well as draws from the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model. Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of an organization’s implementation of cybersecurity systems and process controls, the CMMC will also assess the organization’s institutionalization of cybersecurity practices and processes.
Focus on Standardizing and Optimizing Programs Across Your Organization
Within each of the CMMC’s 17 capability domains, your organization is assessed on your process maturity again on a level of 1-5, ranging from performed, documented, managed, reviewed, and optimized. Your score for technical practices within each of the 43 capabilities will be assessed in tandem with your process maturity score to deliver an aggregated score of your overall maturity across programs related to cybersecurity.
- Level 1 (performed) is a default score, showing that the capability may be in place within certain business functions, but there is little to no initiative to institutionalize the practice across the organization.
- Level 2 (documented) reflects the previous requirements of having a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M), effectively having a documented policy to guide implementing the technical practice with each capability.
- Level 3 (managed) indicates that you are instituting required technical practices and providing resources to execute the capability effectively; an example of this may be proactive educational opportunities around to distribute company policy and processes.
- Level 4 (reviewed) signifies your efforts to measure how technical practices are performing and executed, how are processes being evaluated across your three lines of defense, are your audit efforts reviewed with higher-level management to highlight areas for improvement.
- Level 5 (optimizing) establishes optimized cybersecurity processes and advanced practices. To achieve this level, your company must demonstrate at least three things.
- Your corporate policy must outline the cybersecurity system requirements detailed in the CMMC, including NIST SP 800-171 r1, as well as additional indicated standards.
- You must have auditable controls in place to demonstrate that practices through measured implementation records.
- To demonstrate your process maturity, you must show documentation that these practices are reviewed periodically for recommended process improvements or optimization.
Having a system in place to dynamically track and produce auditable records showing that your organization’s capabilities are in line with the CMMC can streamline your certification process. Learn more about how OneTrust GRC can help your organization support an optimized cybersecurity system and practice.