CMMC – New cybersecurity standards for contractors to security for sensitive information
Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) new regulatory compliance model for certifying contractors to ensure that their cybersecurity controls and processes are sufficient to secure the Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIB) system and networks. The purpose of CMMC is to reduce complexity and confusion by consolidating a broad spectrum of regulations and guidelines, such as NIST 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and others.
CMMC Levels of Certification
CMMC categorizes cybersecurity programs based on the level of maturity of their practices and processes.
- Practices are the technical activities required within a capability requirement. CMMC evaluates 173 practices, and practice tiers range from “Basic Cyber Hygiene” to “Advanced/Progressive”
- Processes measure the maturity of an organization’s cybersecurity procedures. CMMC evaluates nine (9) processes, and process tiers range from “Performed” to “Optimized”.
What CMMC Level do I need?
The CMMC maturity level your organization must achieve is based on the sensitivity of the information the contractor will work with.
- Organizations must meet both Practice and Process requirements for the level they wish to achieve.
- Organizations will have to achieve all requirements for lower levels as well as the level they wish to achieve.
- CMMC requirements apply to sub-contractors as well. Subcontractors do not need to achieve the same level as the prime contractor, but they will need to achieve the CMMC level that corresponds with the sensitivity of the information they will work with.
CMMC requires external assessments to be completed by Third Party Assessment Organizations (C3PAO’s). Assessments will determine the contractor’s CMMC level, and contractors who do not meet the requirements associated with the level required by their contract will not be able to do business with the DoD
Are you ready for CMMC?
Fortress CMMC Solutions
- Fortress Platform Supply Chain Risk Management module mapped to CMMC requirements
- Fortress CMMC Assessment Prep
- CMMC Vendor Assessment
- CMMC Product Assessment
- CMMC Continuous Monitoring
- Asset to Vendor Network cybersecurity information exchange
Fortress Solutions Help You Prepare for CMMC Compliance
- Software Platform
- Data & Analytics
- Information Exchange
Fortress is an Orchestration Platform with modules to manage third party risk and vulnerability risk
Fortress provides vendor and product assessments, resolution and program management. Assessment services can be interchanged throughout the contract.
Data & Analytics
Fortress subscribes to dozens of data sources and has a team of research analysts that enable data-driven solutions and comprehensive monitoring.
The Asset to Vendor Network is the only exchange that is utility focused, offers royalties and provides both product and vendor assessments.
Get in touch
Want to find out how Fortress can solve problems specific to your business?