What is Cybersecurity Maturity Model Certification (CMMC)?

In our technology-driven world, there is nothing more valuable than data.

Nearly all organizations are feeling increased pressure from governments, evolving legislation, and prime contractors encouraging businesses to implement robust cybersecurity programs to safeguard their sensitive data. Read on for tips on obtaining compliance and reducing cyber threat risks through a Cybersecurity Maturity Model Certification (CMMC).

August 23, 2022

DFARS 252.204-7019 and NIST SP 800-171 – What does it All Mean?

If your organization works within the defense industry, you are likely familiar with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7019. This federal act requires that any Department of Defense (DoD) contractor working with covered defense information (CDI) and controlled unclassified information (CUI) protect their data using the NIST SP 800-171 security protocol.

NIST SP 800-171 is a code of requirements that any non-Federal organization must follow in order to store, use, or transmit CUI, and provide security protection for their systems. This system is comprised of 110 security practices that are organized into 14 domains, each related to a general security area. For a time, contractors who worked with the DoD were only required to self-attest their compliance with DFARS and NIST SP 800-171. They were responsible for implementing, monitoring, and certifying the security of their IT systems and any sensitive information stored there.

In September 2020, the DoD published an update to the DFARS requiring the use of the Cybersecurity Maturity Model Certification (CMMC) framework to evaluate contractor compliance and enhance security standards.

What is CMMC?

Cybersecurity Maturity Model Certification, or CMMC 2.0, is a unified system of compliance levels that help the DoD and other governmental agencies determine whether an organization has the security necessary to work with controlled or sensitive data. Related to the NIST SP 800-171, CMMC contains three different maturity levels suppliers are required to meet – Foundational, Advanced, and Expert. While certification can be an extensive process, its main goal is to identify gaps and opportunities in a security system and how mature an organization’s security initiatives are.

Today, all 300,000 DoD contractors and researchers will need to obtain third-party certification to meet requirements for CMMC, as well as the maturity level appropriate to the work they do with the DoD.

Contractors that do not follow compliance within these frameworks may be subject to criminal and civil penalties. These standards must be followed in order to maintain the integrity of sensitive data that is essential for federal agencies to conduct assigned missions and business operations.

Initial Steps to Compliance (CMMC Checklist)

Before working towards CMMC compliance, it is recommended that organizations review the following checklist:

Familiarize Yourself with CMMC
- Stay up-to-date on new developments regarding CMMC versions, and use the official DoD site as your primary source of information
Assign Responsibilities
- Establish a team that will educate users on the new framework and assign responsibilities for working towards CMMC compliance
Determine Appropriate CMMC levels
- Reference DoD contracts which will determine the flow-down of supply chain maturity level requirements. Note: Any contractor required to protect CUI must achieve at least Level 2
Conduct Gap Assessment
- Examine the current state of your cybersecurity and identify gaps between your capabilities and the requirements for the CMMC level sought
Submit Assessment Score to SPRS
- Submit assessment score to the Supplier Performance Risk System (SPRS); the web-based app utilized by the DoD to gather, process and display data about the performance of suppliers
Establish Budget and Remediation Plan
- Create a budget and remediation plan that includes impact, cost, resources, time to implement, and tracking progress to help guide your work

What to Expect from a CMMC Assessment?

When working towards CMMC compliance, your organization will need to work with a Registered Provider Organization (RPO), like Vancord, to ensure your data is protected and that you are in compliance with the necessary legal requirements.

To meet NIST 800-171 requirements and prepare you for CMMC certification, Registered Practitioners (RPs) will perform the following services:

Gap Assessment
- RPs will assess the current state of the organization’s cybersecurity against the controls in NIST 800-171 and CMMC 2.0 to identify areas of improvement necessary to achieve certification.
Establish Objectives and Resources
- Organization to choose the proper certification level based on current business needs and long-term goals to develop objectives and resources needed.
Develop a Plan of Action and Milestones (POAM)
- By comparing controls currently in place to the appropriate level control requirements, RPs will prioritize remediations and develop a plan of action and milestones
Develop a Tailored System Security Plan (SSP)
- A customized and comprehensive security plan (SSP) will be established, defining the performance of suppliers and identifying systems in scope.
Prepare a Company for Official Certification
- A CMMC Third-Party Assessor Organization will perform the official assessment. Pending results, your organization will receive official certification.

Who Needs CMMC Certification?

Organizations within the defense industry, specifically manufacturers or contractors that operate with CUI, must be CMMC certified. This may apply to companies that support the aerospace, naval, or military sectors and engineers and manufacturers that produce machine parts or coating. Government contracts will often indicate what level of compliance and certification is required. For example, the level of clearance needed depends on the project and the type of information your organization is working with.

Why Choose Vancord for your CMMC Assessment?

Vancord is a Registered Provider Organization equipped with a team of knowledgeable Registered Practitioners with a wealth of experience helping manufacturers and research institutions identify and remediate their NIST 800-171 and CMMC gaps to prepare for certification. Vancord has partnered with FutureFeed, a leading CMMC compliance management tool, to ensure that the assessment, remediation, and evidence are tracked and easily accessible to the third party assessor organization (3CPAO) you choose to work with for certification.

Our team of experts can help you navigate these requirements and provide:

Familiarization
Learn about the technical requirements and prepare for certification

Evaluation
Evaluate your current practices and procedures, identifying any potential gaps

Documentation
Document current controls and procedures against your appropriate CMMC level controls

Navigation
Be equipped to navigate and adhere to CMMC requirements

Start preparing now for long-term cybersecurity agility. Our CMMC Assessment Service will help you find the gaps in your cybersecurity networks, eliminate security weaknesses, and be ready for a CMMC certification. Request a meeting with our compliance experts today to get started.

Cybersecurity Tips In Your Inbox.

Get notified when we have something important to share!

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
drift_campaign_refresh	30 minutes	No description available.
li_gc	2 years	No description
loglevel	never	No description available.

Manage

Defend

Respond

Securing a Century: Reflecting on 100 Episodes of CyberSound

What is Cybersecurity Maturity Model Certification (CMMC)?

DFARS 252.204-7019 and NIST SP 800-171 – What does it All Mean?

What is CMMC?

Initial Steps to Compliance (CMMC Checklist)

What to Expect from a CMMC Assessment?

Who Needs CMMC Certification?

Why Choose Vancord for your CMMC Assessment?

Why is Network Security Important?

Hiring & Retaining Talent in Information Technology

MSSP Explained – The Vancord Difference

Cybersecurity Tips In Your Inbox.