The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). The CMMC is the US Department of Defense’s response to numerous compromises of sensitive information that sits on contractors’ information system. Essentially, the CMMC acts as a framework to better assess and improve the cybersecurity posture of the DIB. The purpose of the CMMC is to ensure that appropriate levels of cybersecurity practices and processes are in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that reside on the DIB’s network.
The CMMC establishes five certification levels which demonstrate the maturity and reliability of a company’s cybersecurity infrastructure to guarantee the safeguarding of government information on the contractor’s information system. The levels are cumulative meaning that as they ascend, compliance with the lower levels if required.
Within the CMMC there are 17 domains, made up of 43 capabilities. The CMMC is divided into 171 practices – the technical activities required within any given capability requirement; and 5 processes – which measure the maturity of the organization’s institutionalization. The practices and processes are parallel to one another; therefore, an organization must meet the requirements for the level they seek in both the practice and the process realms. If not, the contractor will be certified on the lowest level that they achieve in either process or practice.
Not all contractors need to achieve a level 5 certificate; it depends on the sensitivity of the DoD information that said contractor will work with, and the range of cyber threats associated with the information.
Below is a figure demonstrating the CMMC levels and descriptions.
Prior to CMMC, DFARS clause 252.204-7012 stipulated that the contractors were tasked with implementing, monitoring, and certifying the security of their technology systems and any sensitive DoD information stored on or transferred by those systems. Contractors are still responsible for implementing key cybersecurity capabilities, but CMMC provides the DoD with additional security assurance in the form of a third-party assessment of contractors’ compliance with specific mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats from adversaries.
Next steps for contractors
Contractors need to get familiarized with the CMMC’s technical requirements and ready themselves for both certification, and long-term cybersecurity agility. Contractors should evaluate their practices, procedures and gaps, and take action to patch any identified vulnerabilities.
This is where Sepio Systems provides assistance to DoD contractors. Sepio’s SaaS can further equip organizations to comply with the CMMC regulation, providing coverage over a realm of practices, up to level 5.
As the leader in Rogue Device Mitigation (RDM), Sepio Systems’ Hardware Access Control solution (HAC1) provides ultimate visibility into all peripherals, uncovering hidden hardware attacks operating over network and USB interfaces.
The only company in the world to undertake Physical Layer fingerprinting, Sepio Systems calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices, automatically blocking any attacks.
Feel free to contact our sales team to further discuss the usage and benefits of Sepio Systems and how we can help you achieve CMMC compliance.