CMMC BY THE DOD
The Department of Defense (DoD) on December 26, 2023 issued a proposed rule to its Cybersecurity Maturity Model Certification (CMMC) program. The purpose of the CMMC program is to strengthen the security measures of companies collaborating with the DoD. This program provides a well-defined set of cybersecurity standards and practices.

IN-DEPTH LOOK AT CMMC LEVELS
The CMMC now segments its security requirements into three levels, each reflecting the sensitivity of the information handled. Higher levels denote more stringent security protocols.

Level 1 – Basic Cyber Hygiene:

• Focus: Protecting Federal Contract Information (FCI).
• Requirements: Basic security measures for non-public information, including standard cybersecurity practices like regular software updates, basic encryption, and user access security.

Level 2 – Intermediate Cyber Hygiene:

• Focus: Controlled Unclassified Information (CUI).
• Requirements: Enhanced security measures, building on Level 1. This involves improved access controls, regular audits, and stronger encryption to protect sensitive government data.

Level 3 – Advanced/Progressive:

• Focus: Highly Sensitive CUI.
  
• Requirements: Advanced security strategies to counteract sophisticated cyber threats. This includes comprehensive monitoring, strict data control, and advanced threat detection. Companies must actively update and improve their security practices.

The tiered structure of the CMMC ensures that companies involved in DoD contracts are equipped with suitable cybersecurity levels, tailored to the sensitivity of the data they manage. This approach not only protects vital information but also strengthens the overall security framework of the defense sector.

KEY POINTS OF THE PROPOSED RULE:
(Click each plus sign below for more details)

Evolution of CMMC

The CMMC journey began with Executive Order 13556 in 2010, establishing guidelines for handling Controlled Unclassified Information (CUI). In 2016, the DoD amended its acquisition regulations (DFARS) to include cybersecurity reporting requirements. CMMC 1.0 was introduced in 2020, which has now evolved into CMMC 2.0, forming the basis of the current proposal.

Assessment and Certification

Companies are required to conduct comprehensive assessments to ensure they meet CMMC standards. The complexity of these assessments varies and they can be performed either internally or by external bodies.

Contractual Requirements

Maintaining compliance with CMMC standards is essential for companies to secure and keep contracts with the DoD. These standards will be integrated into contracts, and more detailed guidelines are anticipated in future.

Inconsistencies and Updates

The proposed rule highlights some inconsistencies with the current DFARS clauses, particularly regarding the use of NIST SP 800-171 standards, which may lead to future adjustments and the handling of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) by defense contractors.

Staged Implementation

The CMMC is being introduced gradually, aiming for
full implementation by 2026.

Mandatory Evaluations

Companies need to complete evaluations to confirm their adherence to required security standards. These can be internal self-assessments or external reviews. Identified security gaps must be addressed within 180 days.

CONTACT OUR CMMC EXPERTS
Our goal is to prepare you for the CMMC assessment. We will answer all of your questions about the CMMC process and will explain how we can prepare you for the CMMC assessment process. We are always happy to answer any questions you might have about the CMMC and our services. Do not hesitate to contact us for more information!

Almond Consulting is postured with certified experts to assist with your organization's CMMC audit readiness with our full-spectrum approach.
Contact us today to learn more!