Cybersecurity Maturity Model Certification Framework (CMMC) 2.0

Cybersecurity Maturity Model Certification Framework 2.0

The CMMC 2.0 is a Department of Defense (DoD) certification framework. It is designed to provide assurance to DoD that a DIB contractor can adequately protect Controlled Unclassified Information (CUI) at a level commensurate to the level of risk, considering information flow down to its subcontractors in a multi-tier supply chain. The framework (model) measures a company's implementation of cybersecurity requirements and associated set of practices across 14 domains at three different but cumulative levels:

  • Level 1 consists of the basic safeguarding requirements for FCI specified in FAR clause 52.204-21

  • Level 2 consists of the security requirements for CUI specified in NIST SP 800-171 per DFARS clause 252.204-7012 [3,4,5]

  • Level 3 is proposed to consist of the subset of security requirements specified in NIST SP 800-172

For an organization to achieve a certain CMMC level, it must also demonstrate achievement of the preceding lower level(s). According to the DoD, a DIB contractor can achieve a specific CMMC level for its entire network or for a particular segment(s) or enclave(s), depending on where the information to be protected is processed and stored.

The figure below shows the three levels of CMMC 2.0, their components and required assessment types.

CMMC 2.0 requirements are required to flow down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor. CMMC takes a risk-based approach to addressing cyber threats. Based on the type and sensitivity of the information to be protected, a DIB company must achieve the appropriate CMMC level.  The 14 security domains contained in the CMMC 2.0 model are as follows:

Our Related Services

Our team of experienced consultants can assist in the following areas:

  • Establishing a compliance management solution for ongoing monitoring, maintenance, and maturation of your compliance efforts

  • Planning the implementation of network segmentation for CUI environment

  • Documenting System Security Plan (SSP), creating logical network diagram, and documenting an inventory of all systems, applications, and services

  • Determining in-scope and out-of-scope assets

  • Performing gap analysis between your current security controls posture and the applicable security control requirements

  • Developing or enhancing requisite security policies and procedures

Give us a call at 954-362-7113 or schedule an appointment for a free consultation to get started.

More about other frameworks and standards
NIST SP800-53
NIST Cybersecurity Framework (CSF)
CSA Cloud Controls Matrix (CCM)
ISO/IEC 27001/27002
Payment Cards Industry Data Security Standard (PCI DSS)
SWIFT Customer Security Controls Framework
General Data Protection Regulation (GDPR)