Who Needs CMMC Certification?

The Cybersecurity Maturity Model Certification (CMMC) affects all companies worldwide. Including those that have or plan to do business directly or indirectly with the US Department of Defense (DOD). CMMC affects general contractors, subcontractors / suppliers, or product manufacturers. Therefore, it is companies within this sphere who will need CMMC Certification.  

It can be assumed that CMMC will be extended to tenders from other US authorities as soon as the DOD has gained appropriate experience. If the recommendations of the Cyberspace Solarium Commission Report are taken into account.   

What is the goal of CMMC?

CMMC is intended to increase the cybersecurity of the entire commercial supply chain (including Defense Industrial Base) of the US Department of Defense. Companies should implement uniform, documented and tested cybersecurity measures (IT & processes).

In particular, sensitive but unclassified information. Including: Controlled Unclassified Information (CUI) – should be protected from uncontrolled or accidental access.

In addition, Federal Contract Information (FCI), Covered Defense Information (CDI) and, of course, higher classified information at the levels RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET / SCI must also be protected. 

What is CMMC? 

The CMMC is built around a set of processes and good practices to be implemented. The two are inseparable: to be able to claim a level of certification, it will be necessary to validate both the process parts. And the part of the implementation of security measures. The processes, very similar in spirit to what the CMMI offers. They aim to guarantee the proactive integration of cyber security into the DNA of the certified structure. 

They will make it possible, step by step, to move from a state where activities are carried out but not managed and documented.

What are the next steps? 

If you are a DoD contractor or wish to do business with DoD, it is imperative that you initiate the CMMC compliance process quickly. CMMC has 171 practices from 17 areas of cybersecurity. These practices are divided into 5 certification levels to which are associated process maturity levels.

DoD has its own rules and you must comply with the CMMC to be eligible for DoD contracts. Your CMMC compliance should at a minimum cover the portion of your network that collects, processes, stores or transmits Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

Who needs it exactly? 

CMMC applies to anyone in the defense contract supply chain. Such as contractors who engage directly with the Department of Defense. As well as any subcontractors. According to the DoD, the CMMC launched standards will affect over 300,000 organizations.

The 17 areas covered by CMMC are:

  1. Access control
  2. Information asset management
  3. Audit and accountability
  4. User awareness and training
  5. System configuration management
  6. User identification and authentication
  7. Response to cybersecurity incidents
  8. Systems maintenance
  9. Protection of media and information storage media
  10. Staff safety
  11. Physical security
  12. Recovery and backups
  13. Risk management
  14. Safety assessment
  15. Situational awareness (operational security, security monitoring and cyber threat hunting)
  16. Protection of systems and communications
  17. Integrity of systems and information

You should be aware of this moving forward, for the benefit of your company.