The DOD CMMC procedure has been developed by the Department of Defense (DoD) to certify that contractors are protecting sensitive data. The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for existing DoD contractors, replacing a self-attestation model with third-party certification.
All DoD Contractors will need to become CMMC Certified by passing a CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. Eventually, this will also apply to DoD sub-contractors or work on related projects.
The CMMC model combines various existing cybersecurity control standards. It measures cybersecurity standards, classifying contractors by the following maturity levels:
Level 1 – “Basic Cyber Hygiene” – Implement 17 controls of NIST 800-171 rev1.
Level 2 – “Intermediate Cyber Hygiene” – Implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
Level 3 – “Good Cyber Hygiene” – Implement the final 45 controls of NIST 800-171 rev1 plus 13 new “Other” controls.
Level 4 – “Proactive” – Implement 11 controls of NIST 800-171 RevB plus 15 new “Other” controls.
Level 5 – “Advanced / Progressive” – Implement the final 4 controls in NIST 800-171 RevB. plus 11 new “Other” controls.
Each DoD contractor is awarded a certification Level of 1-5, if they comply with 100% of the controls for a given Level. Audits are conducted by certified third-party assessor organizations (C3PAO’s).
All DoD contractors must be CMMC certified by October of 2020 if they wish to be allowed to bid on new government projects. Without the certification, contractors will not be permitted to bid on DoD projects.
CyGov delivers streamlined, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring to meet the CMMC requirements. CyGov has mapped CMMC back to its control inventory allowing to share data across multiple frameworks through the platform, which creates time savings, money savings and more accurate data. Through the CyGov platform organizations can gain full visibility to their cyber risk levels and compliance.