DoD Cybersecurity Maturity Model Certification (CMMC)
DoD’s new Cybersecurity Maturity Model Certification (CMMC) version 1.0 was published on 31 January 2020 (c.f., https://www.acq.osd.mil/cmmc/index.html).
Peak InfoSec monitored and participated in the draft reviews of the new DoD compliance framework since its first draft.
Get Ready for Significant Changes
- They added a new term form the Federal Acquisition Regulation–Federal Contracting Information
- Demonstrating compliance will no longer be self-attestation–in other words, we are compliant because we tell you we are
- Getting the “Certification” in CMMC will require a 3rd party audit. This means you need to prove your compliance and be ready to do so before the Auditor arrives (hint, hint…What is an “Evidence Book”?
- CMMC is looking at the Practices (is your firm doing what the compliance requirements require) and your firms Process Maturity Levels…
- Do you have policies, plans, & procedures?
- Have your resourced them? Yep, they will want to understand your Information Security resourcing plan
- Are you monitoring, measuring, and seeking ot improve your organization Information Security effectiveness
- Expect a heavy supply chain focus. The auditors will be reviewing your contracts with sub-contractors and any organizations that have access to FCI/CUI (hint, hint…Does our IT or Managed Service Provider (MSP) have to be compliant?)
- There or more requirements from outside of NIST SP 800-171.
Find out more about the CMMC at…
For more information, please contact us at firstname.lastname@example.org.