ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close

What is CMMC?

 

Introduction

As the risk landscape intensifies, organizations are becoming laser-focused on ensuring cyber security and resilience across their ecosystem of partners, vendors, and suppliers. Against this backdrop, the US Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) in January 2020 to safeguard sensitive information spread across its extended enterprise.

What is CMMC?

The CMMC is a set of uniform requirements for DoD contractors, subcontractors, and vendors and aims to protect Controlled Unclassified Information (CUI) across the ecosystem.

CUI is any data that is generated or processed by the government or on behalf of the government. The CMMC framework establishes standard processes and practices for assessing the capabilities of a third-party DoD partner, contractors, vendor, and supplier, and it also extends to sub-contractors. The process requirements are based on the CERT Resilience Management Model (CERT- RMM), which underscores its focus on resilience.

In 2023, the Department of Defense submitted new proposed rules for CMMC to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. CMMC 2.0 includes some key changes to the original framework and aims to protect the defense industrial base’s (DIB) sensitive unclassified information from advanced persistent threats (APTs). It is expected to simplify compliance, lower assessment costs, improve accountability, and more.

Who is Covered Under the CMMC Framework?

The CMMC framework applies to any contractor or supplier that conducts business with the DoD. Any organization that wants to work with the DoD and is likely to handle CUI will have to get a CMMC certification. This includes:

  • Suppliers across every level of the end-to-end supply chain
  • Small businesses
  • International suppliers and partners
  • Commercial item contractors
  • Sub-contractors
  • Higher education institutions that perform basic and applied research under contract

Exemptions

Only those organizations that produce Commercial – Off-The-Shelf (COTS) products are exempt from getting the CMMC certification.

What are CMMC Requirements?

The CMMC framework comprises a set of standardized processes and practices for evaluating a DoD vendor’s security and resilience posture and capabilities. The certification process comprises 5 levels and each level is based on and builds upon the previous one.

CMMC Certification Levels:

The 5 CMMC certification levels are:

levelsDescriptionRequirements
Level 1Basic Cyber Hygiene
  • Aims to protect Federal Contract Information
  • Includes basic cybersecurity practices and processes which need not be formally documented
  • Requires implementing:
    • 17 controls specified in the NIST 800-171 rev1
Level 2Intermediate Cyber Hygiene
  • Focuses on preparedness for safeguarding CUI 
  • Requires cybersecurity practices and processes to not just be performed but also well-documented
  • Requires implementing 72 controls: 
    • 17 controls mentioned in Level 1
    • Another 48 controls of the NIST 800-171 rev1
    • 7 new other controls
Level 3Good Cyber Hygiene
  • Aims to establish cybersecurity safeguards for CUI
  • Requires cybersecurity practices and processes to be performed, documented, and managed
  • Requires implementing 131 controls:
    • 72 controls mentioned in Level 2
    • The final 45 controls outlined in the NIST 800-171 rev1
    • 13 new other controls
Level 4Proactive Cyber Defense
  • Focuses on protecting CUI as well as preparing for APTs
  • Requires cybersecurity practices and processes to be performed, documented, managed, and reviewed
  • Requires implementing 157 controls:
    • 131 controls mentioned in Level 3 
    • 11 more controls of the NIST 800-171 rev2 
    • 15 new other controls
Level 5Advanced or Progressive Cyber Defense
  • Aims to protect CUI from APTs 
  • Requires cybersecurity practices and processes to be performed, documented, managed, reviewed, and optimized 
  • Requires implementing 173 controls:
    • 157 controls mentioned in Level 4 
    • The final 4 controls in NIST 800-171 rev2 
    • 11 new other controls

Level-Wise Accreditation

Each level carries a certification, and organizations that wish to achieve the certification must meet the required specifications across 43 capabilities and 17 capability domains.

Capability Domains

The 17 capability domains specified by the CMMC framework pertain to critical focus areas that help improve organizational security and resilience. These include:

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AU)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (CA)
  • Situational Awareness (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

What is the Timeline for CMMC Certification?

DoD vendors have till 2025 to get CMMC accredited. They can seek a specific level of accreditation for their entire organizational ecosystem or for specific parts of their network where sensitive data is stored or processed, which require protection.

All future DoD Request for Proposals will specify the maturity level or CMMC certification the vendor has to be at in order to qualify for the bid. A comprehensive assessment of the business and the DoD data it handles is an essential first step for any organization that wants to be CMMC certified.

What is the CMMC Accreditation Process?

The certification process has been designed by the DoD in coordination with the CMMC Accreditation Body (CMMC-AB). Together, they have formulated a standardized process to create a pool of accredited CMMC Third Party Assessment Organizations and assessors who can manage the CMMC evaluation and certification process across levels.

Unlike NIST 800-171, which works on a self-assessment model, CMMC certification involves a third-party audit process. However, organizations that are already operating according to the standards set by the NIST 800-171 are in a stronger position.

To obtain their CMMC certification, interested organizations must follow these basic steps:

  • The organization must assess and identify the level of CMMC certification required
  • It should conduct a pre-assessment exercise with a self-assessment module
  • It must identify an accredited C3PAO for the formal assessment process
  • The assessment made by the C3PAO will be reviewed by the CMMC-AB reviewer
  • The organization will have 90 days in which to make any corrections or rectify any lapses identified during the formal assessment
  • Once the assessment meets the specified requirements for the level, the CMMC-AB issues a CMMC certificate of compliance that is valid for three years

Contractors need to pay for their CMMC assessments and cannot perform self-certifications. The assessment costs depend upon various factors, for example, the target CMMC levels. According to DoD, certain cybersecurity contracts can incur "allowable costs", which can help contractors pay for upgrades.

How to Achieve CMMC Compliance?

Organizations that want to achieve the CMMC certification must ensure cyber hygiene across their networks with an equal focus on people, processes, and technology. Some other focus areas while preparing for CMMC certification include:

Current Cybersecurity Maturity Levels

An organization can only achieve CMMC certification if its infrastructure is well protected against cyber attacks and it is resilient. This requires a comprehensive evaluation of the existing organizational cybersecurity maturity level, involving assessing processes, data storage and handling practices, policies and procedures, and the overall cybersecurity posture. Organizations must take a comprehensive view of their security infrastructure to establish the most effective security practices.

Comprehensive Cyber Risk and Resilience Program

It is important to have well-defined processes for the identification, assessment, mitigation, and management of cyber risks. Organizations must also have robust incident response plans as well as a recovery strategy in place so that the impact of any threats can be minimized, and the business can recover quickly. Implementing a technology-based solution can help streamline processes with automated workflows, reduce time, cost, and effort, and provide actionable insights in a timely manner.

Consolidated Compliance

Given the fraught risk environment modern enterprises operate in, there are multiple regulatory requirements to be complied with. Centralized and consolidated management of an organization’s compliance practices, along with harmonization of controls, can provide a top-level view of IT risk and compliance, reduce the cost of compliance, and maximize compliance efficiency.

Structured Self-Assessments

Organizations must be able to conduct IT compliance surveys and self-assessments easily. They should be able to analyze assessment results and base future decisions on the insights gained from them. 

Intelligent Issue Remediation Plan

AI/ML-powered workflows for investigating, documenting, and resolving compliance issues help to accelerate and streamline the issue management and remediation process, thereby improving overall compliance posture and cyber hygiene.

How Does MetricStream Help with CMMC Compliance?

MetricStream provides a simplified approach to implement the CMMC framework that helps organizations get CMMC certifications easily and quickly. Its centralized data model, along with harmonization of controls across various relevant IT standards and compliance requirement, simplify compliance with a “test once, comply with many” approach. Organizations can leverage pre-packaged content and integration with CMMC requirements, controls, and mappings to get their program up and running quickly. MetricStream provides comprehensive, holistic visibility of the organizational compliance posture with automated workflows for IT compliance management and powerful reports and dashboards.

MetricStream provides:

Centralized IT Compliance Environment

Organizations can create and maintain a centralized repository that helps them map controls for CMMC compliance with organizational assets, risks, processes, and business units. This centralized approach, coupled with access-controlled environment, enables effective monitoring of IT compliance processes, efficient assessment of control deficiencies, and streamlined remediation management.

Harmonization of Compliance Requirements

By harmonizing controls across IT regulations and frameworks, organizations can save significant costs and effort associated with CMMC compliance management. They can leverage the MetricStream GRC library to dynamically link IT regulations with Unified Compliance Framework (UCF) control statements.

Streamlined IT Compliance and Controls Assessments

Organizations can schedule automatic IT Compliance and Controls assessments using pre-defined criteria and checklists. MetricStream streamlines the entire process by providing user-friendly interfaces for performing control tests, attaching evidence, and scoring, tabulating, and reporting results.

Systematic Self-Assessments and Surveys

MetricStream enables organizations to conduct IT compliance surveys, certifications, and control self-assessments in a systematic manner with pre-defined templates and schedules. The data from surveys and assessments can be easily aggregated and analyzed to gain valuable insights for better-informed decision-making.

Efficient Issue and Remediation Management

With MetricStream, organizations can implement well-defined processes for efficiently documenting, investigating, and resolving IT compliance and control issues. They can leverage AI-powered capabilities to classify issues and get action plan recommendations. The solution allows to track the entire issue and remediation management process until issue closure, providing transparency to relevant stakeholders.

With MetricStream, you can:

  • Demonstrate compliance with CMMC to the Department of Defense (DOD) and customers successfully 
  • Achieve operational efficiencies by harmonizing controls across multiple standards and frameworks 
  • Improve decision-making by obtaining holistic, real-time visibility into the organizational IT compliance posture
  • Stay agile by staying on top of changes in regulatory standards and controls

To learn more about how MetricStream can help with IT compliance management, request a personalized product demo.

As the risk landscape intensifies, organizations are becoming laser-focused on ensuring cyber security and resilience across their ecosystem of partners, vendors, and suppliers. Against this backdrop, the US Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) in January 2020 to safeguard sensitive information spread across its extended enterprise.

The CMMC is a set of uniform requirements for DoD contractors, subcontractors, and vendors and aims to protect Controlled Unclassified Information (CUI) across the ecosystem.

CUI is any data that is generated or processed by the government or on behalf of the government. The CMMC framework establishes standard processes and practices for assessing the capabilities of a third-party DoD partner, contractors, vendor, and supplier, and it also extends to sub-contractors. The process requirements are based on the CERT Resilience Management Model (CERT- RMM), which underscores its focus on resilience.

In 2023, the Department of Defense submitted new proposed rules for CMMC to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. CMMC 2.0 includes some key changes to the original framework and aims to protect the defense industrial base’s (DIB) sensitive unclassified information from advanced persistent threats (APTs). It is expected to simplify compliance, lower assessment costs, improve accountability, and more.

The CMMC framework applies to any contractor or supplier that conducts business with the DoD. Any organization that wants to work with the DoD and is likely to handle CUI will have to get a CMMC certification. This includes:

  • Suppliers across every level of the end-to-end supply chain
  • Small businesses
  • International suppliers and partners
  • Commercial item contractors
  • Sub-contractors
  • Higher education institutions that perform basic and applied research under contract

Exemptions

Only those organizations that produce Commercial – Off-The-Shelf (COTS) products are exempt from getting the CMMC certification.

The CMMC framework comprises a set of standardized processes and practices for evaluating a DoD vendor’s security and resilience posture and capabilities. The certification process comprises 5 levels and each level is based on and builds upon the previous one.

CMMC Certification Levels:

The 5 CMMC certification levels are:

levelsDescriptionRequirements
Level 1Basic Cyber Hygiene
  • Aims to protect Federal Contract Information
  • Includes basic cybersecurity practices and processes which need not be formally documented
  • Requires implementing:
    • 17 controls specified in the NIST 800-171 rev1
Level 2Intermediate Cyber Hygiene
  • Focuses on preparedness for safeguarding CUI 
  • Requires cybersecurity practices and processes to not just be performed but also well-documented
  • Requires implementing 72 controls: 
    • 17 controls mentioned in Level 1
    • Another 48 controls of the NIST 800-171 rev1
    • 7 new other controls
Level 3Good Cyber Hygiene
  • Aims to establish cybersecurity safeguards for CUI
  • Requires cybersecurity practices and processes to be performed, documented, and managed
  • Requires implementing 131 controls:
    • 72 controls mentioned in Level 2
    • The final 45 controls outlined in the NIST 800-171 rev1
    • 13 new other controls
Level 4Proactive Cyber Defense
  • Focuses on protecting CUI as well as preparing for APTs
  • Requires cybersecurity practices and processes to be performed, documented, managed, and reviewed
  • Requires implementing 157 controls:
    • 131 controls mentioned in Level 3 
    • 11 more controls of the NIST 800-171 rev2 
    • 15 new other controls
Level 5Advanced or Progressive Cyber Defense
  • Aims to protect CUI from APTs 
  • Requires cybersecurity practices and processes to be performed, documented, managed, reviewed, and optimized 
  • Requires implementing 173 controls:
    • 157 controls mentioned in Level 4 
    • The final 4 controls in NIST 800-171 rev2 
    • 11 new other controls

Level-Wise Accreditation

Each level carries a certification, and organizations that wish to achieve the certification must meet the required specifications across 43 capabilities and 17 capability domains.

Capability Domains

The 17 capability domains specified by the CMMC framework pertain to critical focus areas that help improve organizational security and resilience. These include:

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AU)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (CA)
  • Situational Awareness (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

DoD vendors have till 2025 to get CMMC accredited. They can seek a specific level of accreditation for their entire organizational ecosystem or for specific parts of their network where sensitive data is stored or processed, which require protection.

All future DoD Request for Proposals will specify the maturity level or CMMC certification the vendor has to be at in order to qualify for the bid. A comprehensive assessment of the business and the DoD data it handles is an essential first step for any organization that wants to be CMMC certified.

The certification process has been designed by the DoD in coordination with the CMMC Accreditation Body (CMMC-AB). Together, they have formulated a standardized process to create a pool of accredited CMMC Third Party Assessment Organizations and assessors who can manage the CMMC evaluation and certification process across levels.

Unlike NIST 800-171, which works on a self-assessment model, CMMC certification involves a third-party audit process. However, organizations that are already operating according to the standards set by the NIST 800-171 are in a stronger position.

To obtain their CMMC certification, interested organizations must follow these basic steps:

  • The organization must assess and identify the level of CMMC certification required
  • It should conduct a pre-assessment exercise with a self-assessment module
  • It must identify an accredited C3PAO for the formal assessment process
  • The assessment made by the C3PAO will be reviewed by the CMMC-AB reviewer
  • The organization will have 90 days in which to make any corrections or rectify any lapses identified during the formal assessment
  • Once the assessment meets the specified requirements for the level, the CMMC-AB issues a CMMC certificate of compliance that is valid for three years

Contractors need to pay for their CMMC assessments and cannot perform self-certifications. The assessment costs depend upon various factors, for example, the target CMMC levels. According to DoD, certain cybersecurity contracts can incur "allowable costs", which can help contractors pay for upgrades.

Organizations that want to achieve the CMMC certification must ensure cyber hygiene across their networks with an equal focus on people, processes, and technology. Some other focus areas while preparing for CMMC certification include:

Current Cybersecurity Maturity Levels

An organization can only achieve CMMC certification if its infrastructure is well protected against cyber attacks and it is resilient. This requires a comprehensive evaluation of the existing organizational cybersecurity maturity level, involving assessing processes, data storage and handling practices, policies and procedures, and the overall cybersecurity posture. Organizations must take a comprehensive view of their security infrastructure to establish the most effective security practices.

Comprehensive Cyber Risk and Resilience Program

It is important to have well-defined processes for the identification, assessment, mitigation, and management of cyber risks. Organizations must also have robust incident response plans as well as a recovery strategy in place so that the impact of any threats can be minimized, and the business can recover quickly. Implementing a technology-based solution can help streamline processes with automated workflows, reduce time, cost, and effort, and provide actionable insights in a timely manner.

Consolidated Compliance

Given the fraught risk environment modern enterprises operate in, there are multiple regulatory requirements to be complied with. Centralized and consolidated management of an organization’s compliance practices, along with harmonization of controls, can provide a top-level view of IT risk and compliance, reduce the cost of compliance, and maximize compliance efficiency.

Structured Self-Assessments

Organizations must be able to conduct IT compliance surveys and self-assessments easily. They should be able to analyze assessment results and base future decisions on the insights gained from them. 

Intelligent Issue Remediation Plan

AI/ML-powered workflows for investigating, documenting, and resolving compliance issues help to accelerate and streamline the issue management and remediation process, thereby improving overall compliance posture and cyber hygiene.

MetricStream provides a simplified approach to implement the CMMC framework that helps organizations get CMMC certifications easily and quickly. Its centralized data model, along with harmonization of controls across various relevant IT standards and compliance requirement, simplify compliance with a “test once, comply with many” approach. Organizations can leverage pre-packaged content and integration with CMMC requirements, controls, and mappings to get their program up and running quickly. MetricStream provides comprehensive, holistic visibility of the organizational compliance posture with automated workflows for IT compliance management and powerful reports and dashboards.

MetricStream provides:

Centralized IT Compliance Environment

Organizations can create and maintain a centralized repository that helps them map controls for CMMC compliance with organizational assets, risks, processes, and business units. This centralized approach, coupled with access-controlled environment, enables effective monitoring of IT compliance processes, efficient assessment of control deficiencies, and streamlined remediation management.

Harmonization of Compliance Requirements

By harmonizing controls across IT regulations and frameworks, organizations can save significant costs and effort associated with CMMC compliance management. They can leverage the MetricStream GRC library to dynamically link IT regulations with Unified Compliance Framework (UCF) control statements.

Streamlined IT Compliance and Controls Assessments

Organizations can schedule automatic IT Compliance and Controls assessments using pre-defined criteria and checklists. MetricStream streamlines the entire process by providing user-friendly interfaces for performing control tests, attaching evidence, and scoring, tabulating, and reporting results.

Systematic Self-Assessments and Surveys

MetricStream enables organizations to conduct IT compliance surveys, certifications, and control self-assessments in a systematic manner with pre-defined templates and schedules. The data from surveys and assessments can be easily aggregated and analyzed to gain valuable insights for better-informed decision-making.

Efficient Issue and Remediation Management

With MetricStream, organizations can implement well-defined processes for efficiently documenting, investigating, and resolving IT compliance and control issues. They can leverage AI-powered capabilities to classify issues and get action plan recommendations. The solution allows to track the entire issue and remediation management process until issue closure, providing transparency to relevant stakeholders.

With MetricStream, you can:

  • Demonstrate compliance with CMMC to the Department of Defense (DOD) and customers successfully 
  • Achieve operational efficiencies by harmonizing controls across multiple standards and frameworks 
  • Improve decision-making by obtaining holistic, real-time visibility into the organizational IT compliance posture
  • Stay agile by staying on top of changes in regulatory standards and controls

To learn more about how MetricStream can help with IT compliance management, request a personalized product demo.

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk