Solutions
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)
COLT CSC are experts in NIST 800 Cybersecurity Framework. The security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations. Certification that allows companies to remain competitive in government contracting.
FAR 52.204.21
NIST
SP 800-171 & SP 800-53
DFARS 252.204-7012
Edge Computing
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)
To enable next-generation applications and services, COLT CSC has teamed with Velocity Management Solutions to create a platform that enables applications at the network edge. The platform allows remote operators to effectively deploy field operations and operate edge applications within the fabric of their remote network using today’s latest edge computing technology.
Cyber Security Strategy
Cyber Security Strategy
Cyber Security Strategy
COLT CSC can quickly help an organization develop their cyber security strategy (CSS). This plan of action is designed to improve the security and resilience of a business's infrastructure and services. CSS is a high-level top-down approach to cyber security that establishes a range of operational approaches and priorities that should be achieved in a specific time-frame. Take time to protect your workplace from would be cyber hackers. Contact COLT Cyber Security Consultants, LLC to get started on your CSS.
Technical Consultation
Cyber Security Strategy
Cyber Security Strategy
Risk Management Framework (RMF) within smart and connected infrastructure. Smart cities use different types of electronic Internet of Things (IoT) sensors to collect data and then use insights and Artificial Intelligence (AI) gained from that data to manage assets, resources, and services efficiently.
Learn how to protect your devices or your business!
Cybersecurity MATURITY Model Certification
What is CMMC?
The Department of Defense (DoD) has announced the introduction of a new program called the Cybersecurity Maturity Model Certification (CMMC). CMMC will serve as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. The current DFARS cyber security requirements were implemented in December 2017 to provide security protection for controlled unclassified information (CUI) as provided by the NIST SP 800-171 codification.
CMMC framework will associate different security processes and practices to multiple levels (one through five). The higher the level, the more complex and important the security posture.
It’s important to note that ANY organization that does business with the Defense department must meet a required maturity level of the CMMC program.
The previous self-assessment process is being replaced by audits from qualified, accredited 3rd-party organizations (C3PAOs). Auditors will determine the appropriate maturity level that the contractor, or subcontractor, has achieved. The CMMC program has put focus on making sure the certification process is both affordable and straightforward.
WHY CMMC?
Background
- The aggregate loss of controlled unclassified information (CUI) from the Defense Industrial Base (DIB) sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.
- Back in 2015, the DoD published the Defense Acquisition Federal Regulation Supplement (DFARS). This stipulated that all private contractors working for the DoD must abide by the standards of NIST SP 800-171 on cybersecurity.
- The rationale behind DFARS is to better guard the nation’s defense supply chain against the threats posed by cyber attackers domestically and internationally.
- DFARS has forced more than 300,000 private DoD contractors to adopt these new standards so they can comply with the current law.
CMMC compliance?
The CMMC certification is intended to serve as a verification mechanism to ensure appropriate levels of cyber security practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
The CMMC is expected to guarantee the security standards of contractors and to better control the supply of Controlled Unclassified Information (CUI). Currently, the CMMC is in its early stages of development. DoD contractors need to be aware of the current status of CMMC, how it will impact them, and how they can prepare for potential CMMC audits in the future.
CMMC Audits?
The DoD will use a pool of certified third party audit organizations (C3PAOs) to carry out audits and verify the level of cybersecurity controls institutionalized by contractors. These C3PAOs will be responsible for measuring compliance and providing guidance on current levels of risk. No longer can a DoD contractor self-audit/certify.
...(The Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC Department is aware that some entities have made claims of being able to provide CMMC certifications for the purposes of contracting with the DoD. The requirements for becoming a CMMC Third Party Assessment Organization (C3PAO) are not yet established. As a result, there are no third-party entities at this time that have been credentialed to conduct a CMMC assessment which will be accepted by the CMMC Accreditation Body. Similarly, at this time, only training materials or presentations provided by the Department will reflect the Department’s official position with respect to the CMMC program.)
CMMC
TIMELINE
- Effective immediately: Contractors must assess NIST 800-171 compliance.
- Mar 18, 2020: CMMC v1.02 released with appendices.
- June 2020: C3PAO certifications begin.
- Sep 29, 2020: Interim rule released by DoD.
- May 2022: CMMC 2.0 implemented.
- May 26, 2024: Final language approved.
- Sep 30, 2025: Certification mandatory.
CMMC Levels 1-3
CMMC Framework consists of maturity processes and cyber security best practices
from multiple standards, frameworks, and other references; and organizes them into
a set of domains and maps them across FIVE levels.
LEVEL 1 (Basic Cyber Hygiene)
The baseline requirement for all DoD contractors and subcontractors is described as “basic cyber hygiene.” Though there are few processes that require documentation in this level, each organization must be able to demonstrate institutionalized network and physical security functions on 17 cyber security practices. Basic cyber hygiene is required for all contractors to protect Federal Contract Information (FCI).
LEVEL 2 (Good Cyber Hygiene)
Organizations must demonstrate “managed processes”
and “good cyber hygiene” commensurate with protecting Controlled Unclassified Information (CUI).
Level 2 contains 110 practices for safeguarding CUI. Foundational security controls found within CMMC guiding document NIST SP 800-171.
LEVEL 3 (Advanced/Progressive Security)
Organizations further build upon the Advanced Persistent Threats (APT) safeguards by adding 61 more practice requirements (overall total to 171). The goal for Level 3 organizations is an “advanced/progressive” cyber maturity that is optimized across the entire organization. This represents the highest level of cyber maturity expected at the unclassified level.
Preparation Concepts
Preparing for a CMMC Audit
Outsourcing a CMMC Consultant
Outsourcing a CMMC Consultant
Different CMMC levels will require contractors to comply with progressively more difficult security controls. Contractors who already have full NIST SP 800-171 controls shouldn’t experience many problems achieving at least a Level 3 “Good Cyber Hygiene” CMMC certification.
However, if this has yet to be achieved, there are options for contractors as they prepare for a 2020 CMMC audit.
Outsourcing a CMMC Consultant
Outsourcing a CMMC Consultant
Outsourcing a CMMC Consultant
For small and medium sized businesses, the appropriate course of action is to invest in outsourcing the process of getting CMMC certified.
In particular, outsourcing to a Managed Security Service Provider (MSSP) will enable contractors to get the expertise required.
Ultimately, the responsibility remains with the contractor to meet the nece
For small and medium sized businesses, the appropriate course of action is to invest in outsourcing the process of getting CMMC certified.
In particular, outsourcing to a Managed Security Service Provider (MSSP) will enable contractors to get the expertise required.
Ultimately, the responsibility remains with the contractor to meet the necessary cyber security standards.
Although it may be tempting to do everything in-house, outsourcing the process to a qualified MSSP will likely save you both time and money.
DoIT Yourself
Outsourcing a CMMC Consultant
DoIT Yourself
For contractors who possess the IT personnel and resources, they may want to consider a Doing it Yourself preparation for the C3PAO audit.
Click on Self Assessment Handbook - NIST HB 162. This HB provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements up to NIST SP 800-171 r
For contractors who possess the IT personnel and resources, they may want to consider a Doing it Yourself preparation for the C3PAO audit.
Click on Self Assessment Handbook - NIST HB 162. This HB provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements up to NIST SP 800-171 rev 2, “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations.”
STEP-wise Approach
This is an urgent topic. Your competitors are preparing for it!
A tactical "STEP-wise" approach speeds the certification process, and maximizes your time.
STEP 1. You determine which CMMC level is appropriate for your
company.
STEP 2. You outsource COLT CSC to conduct CMMC pre-assessment.
STEP 3. You and COLT CSC correct faults (software purchases, system
configurations, username/password management).
STEP 4. You hire Certified Third-Party Audit Organization (C3PAO)
STEP 5. C3PAO Auditor verifies CMMC Level compliance.
… Issues YOU your CMMC Certification!
CMMC Domains
The CMMC model consists of 14 domains. These domains are derived from security-related areas in Federal Information Processing Standards (FIPS) and NIST 800-171, covering essential cybersecurity practices. Some domains require technical solutions, such as IT software or hardware implementations, while others focus on cultural changes and organizational practices that do not involve technical tools.
How can we assist you today?
Are you looking for a Cyber Assessment (CMMC) or (CIS); or looking for a technical solution to your problem?