Article
|
April 30, 2020
|
No items found.

What is CMMC and How Do I Certify?

What is CMMC and How Do I Certify?

The new Cybersecurity Maturity Model Certification (CMMC) has begun to appear in Department of Defense (DoD) federal contracts. While the full progression of the certification requirement will not be complete until fiscal year 2026, the draft framework has been released and is being reviewed in the rulemaking process. By fiscal year 2026 all DoD contracts will require certification for both the Prime contractors and subcontractors.To ensure all DoD contractions can comply, certification is broken down into five levels. This allows both small and large defense contractors the ability to comply and the level is determined by what information is protected. The CMMC’s five levels were developed with controls borrowed from National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Community Emergency Response Team (CERT), and other frameworks, along with a few new controls.CMMC level one is the starting point and first level of certification. This level looks at the performance of security controls and overall basic cyber hygiene. The focus is to protect federal contract information. By fiscal year 2026, all DoD contracts will require at least this certification level.CMMC level two requires all the controls from level one to be met and adds the requirement of documentation. These controls and the documentation represent an overall intermediate cyber hygiene. This level is also the transitional step in the model and progresses the maturity of the organization towards protecting Controlled Unclassified Information (CUI).CMMC level three certification covers the previous levels controls and moves from security being performed and documented to also being managed. Organizations at this level have good cyber hygiene and protect CUI.CMMC level four takes the previous three levels and adds a review element. Organizations that are certified level four are proactive in security and are not only protecting CUI but are reducing their risk to an attack from Advanced Persistent Threats (APTs).CMMC level five is the top of the model. To achieve this certification all controls in the CMMC must be achieved. Organizations at this level are optimizing security processes, using advanced practices, protecting CUI, and reducing risk to APTs.While the certification procedure is in process, it is important for all organizations who are doing business with, or hope to do business with, the DoD start working towards compliance.

We can help

Elliott Davis has advisors who can help walk through the Cybersecurity Maturity Model Certification process. Contact the team to see how we can assist you.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.

“Elliott Davis" is the brand name under which Elliott Davis, LLC (doing business in North Carolina and D.C. as Elliott Davis, PLLC) and Elliott Davis Advisory, LLC and its subsidiary entities provide professional services. Elliott Davis, LLC and Elliott Davis Advisory, LLC and its subsidiary entities practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Elliott Davis, LLC is a licensed independent CPA firm that provides attest services to its customers. Elliott Davis Advisory, LLC and its subsidiary entities provide tax and business consulting services to their customers. Elliott Davis Advisory, LLC and its subsidiary entities are not licensed CPA firms. The entities falling under the Elliott Davis brand are each individual firms that are separate legal and independently owned entities and are not responsible or liable for the services and/or products provided by any other entity providing services and/or products under the Elliott Davis brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Elliott Davis, LLC and Elliott Davis Advisory, LLC.

links and downloads.

Ready to find your business’ potential?

get in touch

download the white paper

contact our team

No items found.

contact our team.

contact our team.

meet the author

meet the team

meet the authors