The CMMC, Four Common Questions

Featured Image

What’s the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new measure to evaluate the cybersecurity initiatives across vendors contracting with the Department of Defense (DoD). The recently published CMMC model is built on established cybersecurity frameworks, most notably NIST SP 800-171B. Categorizing capabilities across 17 disciplines, the model evaluates both cybersecurity practices to score cyber hygiene as well as the processes in place to maintain and improve cybersecurity programs. By building on tested control frameworks the CMMC aims to enhance and standardize the DoD’s ability to measure security programs across vendor engagement. The new model was finalized and published on January 31st, 2020 and will go into effect in June for new and upcoming contract renewals.

Why Is It Being Instituted?

The DoD found a number of instances where security measures were not being properly implemented or maintained across vendors. Despite legal action to enforce accountability vendors continued to self-assess to standards that were not met in practice or reviewed for improvement. Given the nature of classified and sensitive data shared across the DoD supply chain, the CMMC establishes cybersecurity as the primary element to evaluate vendor eligibility to participate and engage in business. Previously, security was evaluated in line with cost, performance, and schedule or timeline to execute. This shift establishes security as the primary threshold for vendors to meet before cost, performance or schedule are considered.

What’s Unique About the CMMC Model?

  • Cannot Self-Assess
    • The CMMC requires that a third-party audit organization assesses, scores, and provides recommendations to eligible vendors.
  • Not just a simple yes or no check
    • Beyond just gauging if a security control or practice is in place, the model evaluates the control a on a scale of 1-5 based on the controls in place for each of the 17 capabilities.
  • Weighing continuous improvement initiatives
    • Beyond just measuring how well a control is implemented, within each capability the process to implement and maintain security across the discipline is evaluated on a scale of 1-5 as well.

Who Does it Apply to?

The CMMC apply to all contracted vendors related subcontractors doing business with the DoD. The Certification must be audited and measured by a third-party auditing professional approved by the DoD, unless the use case is an advanced cybersecurity circumstance where the DoD may engage directly to evaluate and assign a score.

Learn how the OneTrust GRC Platform can support your cybersecurity initiatives to measure controls across frameworks, and evaluate your performance and processes overtime.