CMMC Compliance-A Checklist and Guide

Decoding CMMC Compliance-A Checklist and Guide

Cybersecurity Maturity Model Certification (CMMC) aims to protect critical defense information. We have put together a detailed resource that covers the topic in details and put you on the right track.

In Nov 2021, the Department of Defence (DoD) revised CMMC 1.0 to CMMC 2.0, making massive changes. Aimed at making CMMC Compliance easier, the DoD reduced the levels from 5 to 3. Since there are a lot of technicalities involved, we, at Intersec, attempt to bring in the latest and most comprehensive information to you.  

So, we will start with the most basic question:  

What is CMMC?

Developed by the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) is a comprehensive standard for benchmarking and implementing cybersecurity across the defense industrial base (DIB). The Defense Industrial Base (DIB) includes over 300,000 companies working in the supply chain.  

The CMMC Standards are the DoD’s way to secure and protect sensitive defense information shared with the Contractors working with DoD.  

The latest CMMC Framework (CMMC 2.0) contains 3 levels as following  

CMMC Level 1-Foundational Level-Practices and Controls

Access Control (AC)

  • AC.1.001- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  • AC.1.002- Limit information system access to the types of transactions and functions that authorized users are permitted to execute
  • AC.1.003- Verify and control/limit connections to and use of external information systems.
  • AC.1.004- Control information posted or processed on publicly accessible information systems.

Identification and Authentication (IA)

  • IA.1.076- Identify information system users, processes acting on behalf of users, or devices.
  • IA.1.077- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Media Protection (MP)

  • MP.1.118- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Physical Protection (PE)

  • PE.1.131- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  • PE.1.132- Escort visitors and monitor visitor activity.
  • PE.1.133- Maintain audit logs of physical access.
  • PE.1.134- Control and manage physical access devices.

System and Communications Protection (SC)

  • SC.1.175- Monitor, control, and protect organizational communications  
  • SC 1.176- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

System and Information Integrity (SI)

  • SI.1.210- Identity, report, and correct information and information system flaws in a timely manner.
  • SI.1.211- Provide protection from malicious code at appropriate locations within organizational information systems.
  • SI.1.212- Update malicious code protection mechanisms when new releases are available.
  • SI.1.213- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.  

CMMC Level 2-Advance Level  

110 Practices aligned with NIST SP 800-171

CMMC Level 3-Expert Level

110+ Practices based on NIST SP 800-172

Before the CMMC, the onus of implementation, monitoring, and certification of the security of the information technology system and the information stored and relayed through those systems rest with the Contractors under Defense Industrial Base.  

The Contractors were responsible for implementing and maintaining critical cybersecurity infrastructure and aligning with the security compliance as required.  

The new CMMC standards outdate this model by segregating CMMC compliance into 3 levels depending upon the criticality of the information shared with contractors. As mentioned, the latest CMMC framework has 3 levels, namely level 1 (Foundational Level, Level 2 (Advanced Level), and Level 3 (Expert Level). The third-party assessment of Contractors’ compliance is mandatory for CMMC level 3.  

Why does the DoD need a CMMC Framework?

The Department of Defense works with more than 300000 companies listed under the Defense Industrial Base. These companies work closely with DoD to develop complex weapons, aircraft, missiles, and submarines, to products as simple as shoes for defense personnel.

Working with DIB involves sharing critical information with these contractors. And, a leak of such critical information may pose risks to the interests of the US. The DoD acknowledges that the leakage of Controlled Unclassified Information (CUI) from the Defense Industrial Base has increased the risk for the US economy and National Security.  

Working closely with Defense Industrial Base, the Department came up with detailed measures to protect, control, and reduce the risks that may result from the loss of critical Controlled Classified Information from DoD’s unclassified networks.  

The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) framework is the result of these efforts and contains protective measures and guidelines to ensure the security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).  

What are Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)?

Controlled Unclassified Information (CUI) is a class of unclassified information within the U.S. Federal government that requires safeguarding or dissemination controls according to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.  

Federal Contract Information (FCI) is the information provided by or generated for the Government under the contract that has not or will not be publicly released (within a reasonable period). The protection requirements of the FCI are laid down in the Federal Acquisition Regulation (FAR)  

The information above outlines the basics of CMMC 2.0. We will be covering every aspect of CMMC 2.0 in our upcoming blogs. Sign up for our newsletter to stay up-to-date on CMMC.  

About Intersec Inc  

InterSec Inc., a minority-owned Virginia corporation founded in 2013, is a one-stop cybersecurity service provider to small and medium-sized businesses. We bring thought leadership, industry best practices, subject matter experts (SMEs) with cybersecurity domain expertise, defense-in-depth, and deep technology experience in supporting customer-centric custom solutions and services.  

We are a CMMI Level 3, ISO 9001, and ISO 27001 appraised organization and committed to continually improving our processes and practices.  

InterSec is an active member of various industry groups such as (ISC)2 NoVA, ISSA, ISACA DC, OWASP NoVA, Reston Chamber of Commerce, and NVTC and is equipped with the required expertise to provide a full range of cybersecurity services, including program management, governance, CMMC Compliance, cybersecurity, and risk management to its Federal, State, and Commercial customers.