What Is Cybersecurity Maturity Model Certification (CMMC)?
When you make businesses with a national or governmental entity, security and privacy will be two elements you—and them—will appreciate the most.
After all, companies with contracts and are involved with the Department of Defense, Federals, and similar entities, have to deal with a lot of information that is unclassified and classified as well. Therefore, you have to make sure you have this aspect of your company set in order to provide safe and proper security for you and the entity you’re working with. This is where the Cybersecurity Maturity Model Certification starts to play a crucial and elemental role.
It is a procedure and standard that is implemented around or across DoD contractors. In simpler words, it is only implemented when you need to have contracts with this entity or similar ones—or those related to it. However, some companies use it for other cybersecurity needs due to its functionality and how you can take advantage of all the aspects and elements that improve with its implementation. This standard comes from a combination and practice of different standards that are considered the best in the cybersecurity field and area.
Something you must keep in mind to implement it is that it is quite new since it was released this year—2020—but not because it has defects or it isn’t safe. Actually, it is the best standard to practice for its specific purpose and even for general cybersecurity—as mentioned before. What is important to keep in mind when going for it is that implementing it takes a lot of time and effort due to its nature.
After all, this standard works with the maturity system, just like its name says it.
Maturity systems consist of starting from zero and a specific level in the status of the company and the area you are working with—or improving. For cybersecurity, it all starts in the low and bad cyber hygiene of the company since it usually doesn’t have a system to protect information and data. Therefore, once you understand what it is—which was briefly and directly explained previously—, you need to start to understand how it works and why you will need support for it.
What are the levels we mentioned?
Since CMMC works with over 5 different standards and ISOs, several aspects and sections are included when implementing it. In a few words, you need to handle different elements of the cybersecurity in order to guarantee the desired results and requirements from the document.
That being said, the levels from the procedure identify and determine quite well the aspects you will be working within general and also, in specific. The levels go from 1 to 5, which identifies the level of your cybersecurity as well.
Level 1: it focuses on basic cyber hygiene that includes what most people are aware of in this area. Such as antivirus software, and making sure that the staff in a company uses safe passwords. Knowing which passwords your company’s staff or even setting them yourself in order to guarantee more security, is important to protect specific data and all of it.
Many companies underestimate the difference in writing a basic password that has a few digits, with one that has several digits, symbols, and numbers. Or at least, one that is different from someone’s birthday or similar dates. This level is completely dedicated to cover the basic standards of cybersecurity in order for the company to improve and gain more knowledge in the area.
This includes looking after authentication and several parameters you might see in companies you employed before or you are close to. Most of the time, this level is characterized for protecting Federal Contract Information, even when companies with a DoD contract should already meet the requirements established on it.
Level 2: This is more for intermediate cyber hygiene that focuses on new elements and aspects regular people and companies are not familiar with. Especially, when it comes to the data managed and protected in the company. This is when the concept “Controlled Unclassified Information (CUI)” will start to be a daily thing to hear or read about.
This information does not include classified data, but that doesn’t reduce the importance of needing safeguarding for it. At this level, the company will have to meet certain requirements in order to obtain the level of security needed and required for the information or data it manages. Most of these requirements come from the standard NIST 800-171 r2, which is one of the best-practices one in the cybersecurity area.
Most of the standards at this level are related to the control over the people who have access to the data and how they can access it. There are several elements involved and knowing how to handle it as well as make the pertinent changes and addition to guarantee the best results will start to be more crucial than ever.
Level 3: this goes for good cyber hygiene where requirements and standards are multiplied. Something we missed to explain previously—on purpose—was that every level has different security controls and practices. At level 3, there’s a total of 47 security controls that need to be met in order to comply with the NIST 800-171 r2 standards. In a few words, you need to meet every requirement in the previous standards and make sure to cover all the controls and practices to guarantee the success of the level and the cybersecurity.
Level 4: it stands for proactive due to the need for measuring, detecting, and defeating threats in the cybernetic area. Most companies are not aware of how important is to take the initiative and handle these aspects and needs themselves. Which is why they are introduced and practiced in order to obtain the next level in cybersecurity. This level follows several standards and requirements, which aren’t as many as the previous one but quite tough to handle as well.
Level 5: it is considered to be the advanced or progressive phase of CMMC. After all, you will be following 30 security controls standards in addition to everything you have implemented and needed so far. This means that in a total with all the levels, there are over 100 security controls you need to consider.
It is quite hard to meet this level since there are standards that aren’t possible due to the nature of the controls. In simpler words, it is difficult and considered to be almost impossible, but not because of this it won’t be a good thing to consider.
Since CMMC is quite new and started to be mandatory for companies just now in June 2020, you will need the support and certification of a reliable company. At ISO Pros, we can help you and will make sure you are going through the maturity levels properly.
Keep in mind that at level 4, you are more than capable of getting certified on it and being able to handle any contract with DoD in the United States. But if you have more questions and doubts about this aspect—or any other—let us know.