What is the Cybersecurity Maturity Model Certification (CMMC)?
Cyber attacks targeting the Defense Industrial Base (DIB) pose a risk to our national security. Businesses large and small play a role in the DIB ecosystem. This diversity brings a great variety in business processes, IT systems, controls, and cybersecurity practices. The Department of Defense (DoD) has established the CMMC framework to provide a common set of requirements to ensure proper safeguarding for both Federal Contract Information and Controlled Unclassified Information.
Who does it apply to?
Government contractors participating in the DIB, processing, storing, or transmitting FCI or CUI, may have contractual requirements that imply an eventual certification requirement. The following contract clauses can be an indicator:
- FAR 52.204-21
- DFARS 252.204-7012
- DFARS 252.204-7019
- DFARS 252.204-7020
- DFARS 252.204-7021
- DFARS 252.204-7024
What is Controlled Unclassified Information (CUI)?
We cannot talk about the CMMC without discussing CUI. Ultimately, the CMMC has been developed to ensure that organizations properly safeguard CUI. What is CUI? From the CUI Program Blog: Controlled Unclassified Information (CUI), is sensitive information that laws, Federal regulations, or Government-wide policies require or permit executive branch agencies to protect.
Consider an example: a manufacturer makes a part or assembly that ultimately ends up in a Defense related application. The blueprints or drawings used to machine the part are likely CUI. Should these documents exist in physical form at the manufacturer, certain practices must be in place to safeguard them (handling, storage, destruction, etc.). When this information exists digitally on the manufacturer’s computer network, specific controls must be put in place to safeguard that information. The CMMC outlines the safeguards that must be in place to process, store, or transmit this data.
How can Bound Planet help?
Rule making is proceeding, are you preparing? We recommend being proactive in addressing the CMMC.
We offer the following:
- Education on CMMC requirements
- Pre-assessment readiness evaluations and guidance
- Scoping guidance
- Assistance navigating PIEE / SPRS
- Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment
- Assistance in posting score to SPRS
- Assistance in meeting DFARS 252.204-7012 reporting requirements
- Medium Assurance Certificate Procurement
- Advisory specific to CMMC initiatives
- POA&M Development
- SSP Development
- Consulting and project management related to implementing the requirements
- Policy documentation and review
- Service offerings to meet practice requirements. Examples: Awareness and Training, Vulnerability Scanning and Assessment, Incident Response Planning
Whether you don’t know where to start, or you simply need a specific solution to satisfy a practice requirement, Contact us today to find out how we can help your organization prepare.
Our Approach
We don’t believe in one-size-fits-all, however we have a common approach for our clients. We believe in flexibility and tailoring engagements or services to meet the requirements of our clients.
- Establish Baseline – Our CMMC Pre-Assessment Readiness Evaluation establishes the current state of the Organization Seeking Certification (OSC) practices in comparison to CMMC requirements. This initial baseline supports later activities such as scoping, POAM development, and implementation.
- Identify Scope – The people, processes, and technology (PPTs) associated with the processing, storing, or transmitting CUI can greatly influence the scope of implementation. OSCs may reduce the scope by limiting which PPTs constitute the CMMC assessment scope. In some cases, a reduced scope approach may not be feasible, however scope should be identified early in the process.
- Establish POAM – Once the scope has been determined, the action plan for implementation can be developed.
- Develop SSP – An SSP is required for uploading scores to the Supplier Performance Risk System (SPRS).
- Implement Practices – Practices must be implemented for the PPTs within the CMMC assessment scope. While implementation occurs, Bound Planet assists the OSC in managing the POAM and SSP.
- Operate – Certain practices must be performed periodically per the CMMC. Bound Planet can assist OSCs in maintaining compliance in this regard.