For the last year or so, the CMMC 2.0 (Cybersecurity Maturity Model Certification) has been a big deal amongst the Defense Industrial Base, also known as the DIB. This is essentially the group of defense contractors and their counterparts that are currently doing work for the Department of Defense or are in the process of placing a bid on a future contract to be awarded.
But before any of this can happen, these contractors will have to be certified at some level of the CMMC 2.0. At the present time, there are three levels, which include the following:
- Level 1: Foundational Cyber Hygiene
- Level 2: Advanced Cyber Hygiene
- Level 3: Expert Cyber Hygiene
The above can be seen in the illustration below:
(SOURCE: 1).
As one can see, the basic premise of the CMMC 2.0 Maturity Levels is to ensure that your organization has maintained the needed controls in order to safeguard the datasets that the DoD has entrusted you with. There are two of them, and they are known as follows:
- The Controlled Unclassified Information (CUI);
- The Federal Contract Information (FCI).
There are a total of 17 controls (also known as “Domains”) from within the above Maturity Levels. At some point in the certification process, your organization will be held accountable for the responsibility and maintenance of all of them, and they can be seen in the diagram below:
(SOURCE: 2).
So, the very first step in the process of getting certified is to first conduct an assessment of where you currently stand.
What Is The Assessment?
This phase is also technically known as the “Gap Assessment”. In this, you are conducting an analysis of the existing controls that you already have in place, and what is further needed in order to achieve certification. In other words, you are asking and answering four fundamental questions:
- What are the existing set of controls that my organization has?
- How dependable are they at the present time when it comes to the safeguarding of the FCI and CUI datasets?
- What will be done to remediate any existing gaps and weaknesses amongst them?
- What other extra controls will I need to implement and how will I go about deploying them?
This phase should not be taken lightly by any means whatsoever. This is the one chance that your organization has to prove to the DoD that you will be proactive in protecting the confidential datasets that they will be entrusting you with. Although the temptation might be high to rush this phase in order to get certified, the bottom line here is that you should take whatever time is needed in order to conduct an exhaustive and thorough Gap Analysis.
In this regard, in order to help avoid any sort of bias, you should seriously consider hiring what is known as a Registered Provider Organization (RPO), like KAMIND, to help you conduct your Gap Assessment. They have the tools and the knowledge that are needed to guide you through this first phase successfully.
Tools From Microsoft – The Placemat
There are also tools available that can help your organization in the Gap Analysis phase such as the “Microsoft Product Placemat for the CMMC”.
In a holistic sense, this is a single view dashboard that shows how your business is doing regarding your progress towards the CMMC certification when you are making use of Microsoft software packages, such as M365 and Azure.
Also in this aspect, expert tips and advice are also provided to help you refine and hone any tasks or objectives that you may be currently working on. In addition, this tool is available free from KAMIND.
An example of the CMMC Placemat is seen in this illustration:
(SOURCE: 3).
Another great tool that your organization can use in conjunction with the Microsoft Placemat is a product from FutureFeed (https://futurefeed.co). It helps you keep your Gap Analysis updated on an automated, real-time basis. This is especially advantageous as you are attempting to get certified against the higher Maturity Levels of the CMMC. More information about this can be seen here.
Very Important – Don’t Miss Out!!!
To help guide you in this first phase of the CMMC 2.0 process, KAMIND is holding an exclusive CMMC Symposium in early 2022. To find out more about this, click here.
To find out more about KAMIND’s CMMC services, contact us today!!!