On January 30th 2020 the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released version 1.0 of the Cyber security Maturity Model Certification (CMMC). The goal of this framework is to ensure that every participant in the DOD supply chain has a minimum level of cyber security controls to protect Federal Contract Information (FCI) and Confidential Unclassified Information (CUI). This includes all over 350,000 companies within the Defense Industrial Base (DIB) supply chain .
CMMC is a rather exhaustive framework built on FAR Clause 52.204-21, NIST 800-171r1 , NIST 800-171B and other framework. Within each domain there are a number practices , for example at level 1 there are 17 practices (Basic Cyber Hygiene) and at level 5 there are 171 practice (Advance Progressive) . For each practice there are 5 levels of processes from level 1- “Performed” through level 5 - “Optimizing”
CMMC Processes and Practices -Level 1-Level 5
Unlike many other frameworks that require no certification. CMMC will require a review by certified auditors . By mid-summer 2020 it is expected that the newly established accreditation board, CMMC-AB, will begin to certify auditors. These auditors will in turn work for a C3PAOs (Certified Third-Party Assessment Organizations). The first assessors should be certified by mid year. The CMMC will be included in some upcoming RFIs/RFPs in mid to late 2020 and overtime as contract are up for renewal the CMMC framework will be rolled out.
Deeper Solutions has deep understanding of the underlying frameworks that were used to develop the CMMC. Though no organization or individual can perform a CMMC audit, Deeper Solutions can provide Audit Readiness Services which will allow organization identify what level of processes and practices they should achieve and identify gaps in the current state.
For any questions please contact firstname.lastname@example.org