CMMC stands for Cybersecurity Maturity Model Certification, and it is a requirement for contractors who work with the Department of Defense (DOD). The CMMC framework is based on the NIST 800-171 and NIST 800-172 standards, which define the best practices for protecting sensitive data. The current version of the CMMC model has three levels of certification, ranging from basic to advanced. Depending on the type and level of service provided to the DOD, contractors need to achieve a certain level of certification.
Let's dive into Level 1, the most common certification level applicable to small and medium-sized businesses. At this foundational level, emphasis is placed on implementing essential cybersecurity risk management practices to safeguard against cyber threats. Along with basic cybersecurity hygiene, authentication and access control take center stage, ensuring that only authorized individuals have access to specific information.
The CMMC Level 1 certification requires adherence to a set of 17 controls from the six practice areas mentioned above. All 17 controls align with the Federal Acquisition Regulation (FAR) 52.204.21. Let's break down these controls and understand their significance in achieving CMMC Level 1 compliance.
Contractors aiming for Level 1 certification must conduct a comprehensive self-assessment, evaluating their compliance with the 17 control points across the six practice areas. For each control point, contractors need to establish a policy, a control, and a process to identify and address any deviations that may arise.
When self-assessing, contractors need to be honest and thorough and be prepared to provide evidence of their compliance if requested. They also need to ensure that their policies, controls, and processes apply to all the technology they use in their organization, with very few exceptions.
How to Achieve CMMC Self-Certification with an MSSP
To achieve CMMC self-certification, an organization needs to meet a certain score based on the implementation of security controls and policies. An MSSP is a Managed Security Service Provider, which is a company that offers cybersecurity services to other organizations. An MSSP can provide valuable assistance in CMMC Self-Cerfication by helping the organization improve its score, deploy the required controls, and write the appropriate documentation.
What will an MSSP do?