DoD Cybersecurity Maturity Model Certification (CMMC)

DoD’s new Cybersecurity Maturity Model Certification (CMMC) version 1.0 was published on 31 January 2020 (c.f., https://www.acq.osd.mil/cmmc/index.html).

Peak InfoSec monitored and participated in the draft reviews of the new DoD compliance framework since its first draft.

Get Ready for Significant Changes

  • They added a new term form the Federal Acquisition Regulation–Federal Contracting Information
  • Demonstrating compliance will no longer be self-attestation–in other words, we are compliant because we tell you we are
  • Getting the “Certification” in CMMC will require a 3rd party audit.  This means you need to prove your compliance and be ready to do so before the Auditor arrives (hint, hint…What is an “Evidence Book”?
  • CMMC is looking at the Practices (is your firm doing what the compliance requirements require) and your firms Process Maturity Levels…
    • Do you have policies, plans, & procedures?
    • Have your resourced them?  Yep, they will want to understand your Information Security resourcing plan
    • Are you monitoring, measuring, and seeking ot improve your organization Information Security effectiveness
  • Expect a heavy supply chain focus.  The auditors will be reviewing your contracts with sub-contractors and any organizations that have access to FCI/CUI (hint, hint…Does our IT or Managed Service Provider (MSP) have to be compliant?)
  • There or more requirements from outside of NIST SP 800-171.

Find out more about the CMMC at…

For more information, please contact us at info@peakinfosec.com.

Let’s Get Started

Information Security Turnaround Specialists