CYBERSECURITY MATURITY MODEL CERTIFICATION
"The Department of Defense is drafting a new standard called the Cybersecurity Maturity Model Certification. This standard will replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-20201. The CMMC contains five levels, ranging from basic hygiene to state-of-the-art. Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime."
Katie Arrington OUSD(A&S)
Professional Services Council
“What Contractors Need To Know About DoD’s CMMC” Webinar, July 17, 2019
WHAT IS CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB). It is a brand new compliance stipulation and the DoD's response to significant compromises of sensitive defense information located on contractors' information systems. CMMC replaces the current self-assessment model and now requires third-party certification. There are five (5) CMMC levels designed to assess and measure the cybersecurity practices of contractors. The five levels are tiered and build upon each other's technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices. Organizations can prepare by undergoing a thorough CMMC audit.
BASIC CYBER HYGIENE/ PREFORMED
Anyone doing business with the DoD must achieve at least a Level 1 compliance. This level requires basic cybersecurity hygiene practices appropriate for smaller companies that only handle FCI. -No Processes are required. Level 1 controls are equivalent to all of the safeguarding requirements of FAR Clause 52.204-21.
INTERMEDIATE CYBER HYGIENE/ DOCUMENTED
Involves universally accepted cybersecurity best practices that would be well-documented, with access to CUI requiring multi-factor authentication. Level 2 is not designed to be a destination. It is a transitional level for companies that are moving toward a Level 3 certification.
GOOD CYBER HYGIENCE/MANAGED
All of the NIST SP 800-171 Practices are required at this level plus 20 additional requirements from other compliance frameworks. The goal of this level is to protect CUI. Processes at this level are well-followed and maintained, with a comprehensive knowledge of all cyber assets.
Level 4 requires the implementation of 26 additional advanced and sophisticated cybersecurity practices based largely on the CMMC adaptation of NIST SP 800-171B. Controls at this level are focused on thwarting Advanced Persistent Threats (APT) Level 4 processes are regularly reviewed, properly resourced, and improved company-wide.
Level 5 requires 44 additional security practices, most of which are CMMC adaptations of NIST SP 800-171B. The focus is to thwart APTs. Highly advanced cybersecurity practices must be in place, and processes implemented at this level must be continually reviewed and improved across your enterprise with machine-speed breach response.
WHAT WE ARE
UpSlope Advisors RP's have an extensive background, knowledge, and awareness of CyberSecurity compliance
We provide guidance and counsel that follows the CMMC Standard
Our assessment and solutions are in line with the CMMC-AB Professional Code of Conduct
Our experts will tailor a process and solution that is unique to your organization and fits your specific needs to meet the certification requirements