GET PREPARED FOR CMMC The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense’s (DoD) new information security framework and audit program, which creates which creates a unified cybersecurity standard. It is designed to improve cybersecurity within the Defense Industrial Base (DIB) by ensuring contractors and subcontractors can adequately protect Controlled Unclassified Information (CUI). The CMMC combines, consolidates, and expands existing DoD contractor compliance standards like NIST SP 800171, 48 CFR 52.204-21, DFARS clause 252.204-7012 (and others), while expanding their security and reporting these standards. This document offers in-depth information about these standards and requirements. In a broad sense, these are the essentials: 1. In order to respond to RFPs (starting now for many contracts, but universally by 2026), you need to be CMMC compliant. 2. You’re no longer allowed to self-report. You have to pass an audit by a certified third-party assessment organization (C3PAO). 3. There are five levels of security compliance called maturity levels (one being the lowest, five being the highest). You can bid on any contract at or below the maturity level you’ve demonstrated, but not above that level.
ABOUT NIST SP800-171 COMPLIANCE NIST SP800-171, National Institute of Standards and Technology Special Publication 800-171, was established with the purpose of governing Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations and is one of the major compliances under the new CMMC framework. The compliance is comprised of three fundamental requirements: • Ensure the identities of the users who attempt to gain access • Regulate the users’ access and rights based on their entitlements (e.g. privileged users, non-privileged users) • Trace the actions of privileged users
axiad.com
axiad
@axiadIDS