Uploaded by Custom Cyber

NIST 800-171 Service providers in Los Angeles

advertisement

What is CMMC?
15
Aug
What is CMMC?
 By Sri Achary |
 In Cybersecurity, Medium Business, Small Business, Standards, Technology |
 Comments
The present compliance standard for protecting and safeguarding CUI is National Institute
of Standards and Technology (NIST) SP 800-171. It requires that Federal contractors and
sub-contractors ‘self-certify’ that they are compliant in order to bid on federal/DoD
contracts that contains.
Due to the lack of ‘third party’ verifications, the DoD came up with the Cybersecurity
Maturity Model Certification (CMMC). The CMMC gives the department a mechanism to
certify the cyber readiness of the largest defense contractors — those at the top who win
contracts are called “primes” — as well as the smaller businesses that subcontract with the
primes. CMMC mostly deals with Controlled
It’s all about protecting and safeguarding Controlled Unclassified
Information (CUI).
CMMC
It’s all about protecting and safeguarding Controlled Unclassified Information (CUI). CUI is
government created or owned information that requires safeguarding or dissemination
controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for
or included in requirements related to a government contract.
The present compliance standard for protecting and safeguarding CUI is National Institute
of Standards and Technology (NIST) SP 800-171. It requires that Federal contractors and
sub-contractors ‘self-certify’ that they are compliant in order to bid on federal/DoD
contracts that contains.
Due to the lack of ‘third party’ verifications, the DoD came up with the Cybersecurity
Maturity Model Certification (CMMC). The CMMC gives the department a mechanism to
certify the cyber readiness of the largest defense contractors — those at the top who win
contracts are called “primes” — as well as the smaller businesses that subcontract with the
primes. CMMC mostly deals with Controlled Unclassified Information (CUI) which is not
classified information.
The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity
Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense
Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for
contract award.
Table 1: CMMC Maturity Levels
What does it mean for defense contractors?
Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of
practices and processes as well as those specified in lower levels. A Third-Party Assessment
Organization (3PAO) performs the assessment and recommends/do not recommend CMMC
certifications.
No existing contracts with the department will have CMMC requirements inserted into
them. The new CMMC provides for five levels of certification in both cybersecurity practices
and processes.
Eventually CMMC will translate in to civilian and non-defense federal contractors. This will
be the new Cybersecurity standard that Federal Agencies adopt in the near future.
How do companies prepare to bid for DoD and Federal Contracts that require CMMC?
The CMMC Accreditation Body (CMMC-AB) The CMMC Accreditation Body (AB), a non-profit,
independent organization, will accredit CMMC Third Party Assessment Organizations
(C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and
updates on its website
The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved
C3PAOs as well as other information. After the CMMC Marketplace is established, DIB
companies will be able to select one of the approved C3PAOs and schedule a CMMC
assessment for a specific level.
Organization that are interested in bidding for DoD and federal contracts should start
preparing for CMMC now. The CMMC-AB will start listing Assessors and Practitioners in their
marketplace. There are some clarifications provided in CMMC Model Appendices for each
control.
What is CUI and FOUO, and how can my organization prepare for it?
CUI is information the Government creates or possesses, or that an entity creates or
possesses for or on behalf of the Government, that a law, regulation, or Government-wide
policy requires or permits an agency to handle using safeguarding or dissemination
controls.
CUI, established by Executive Order 13556, is an umbrella term for all unclassified
information that requires safeguarding. FOUO, which stands for ‘For Official Use Only’, is a
document designation used by the DoD.
Those organizations that start preparing for CMMC levels now will get an advantage to bid
for any contractors that require CMMC. Preparing for CMMC levels and getting ready for an
Assessment takes some time. DoD is already including CMMC requirements in to their
contracts now. CMMC Level 3 is the most common level and will qualify for most of the
federal contracts for small and medium sized businesses.
   
Tags: CMMC, Cybersecurity
Social
YouTube
Facebook
LinkedIn
Twitter
Recent
Modern Day Thieves Are Stealing Cars via Headlights
AI Affect on Cybersecurity – Written by ChatGPT
Kaseya VSA Ransomware Attack
American public lost $4.1 Billion in 2020 due to Cybercrimes
What is CMMC?
Navigation
Home
Our Services
Resources
Blog
Careers
About Us
Contact
From Twitter
Couldn't connect with Twitter
Download