cmmc logo

Managed CMMC Compliance

One common misconception is that CMMC compliance is the same thing as NIST SP 800-171. That is not entirely true, especially in the higher-levels of CMMC that include requirements from frameworks other than NIST SP 800-171.

CMMC’s ultimate aim is to ensure that defense contractors do not get hacked, resulting in the loss of sensitive defense information that could fall into the hands of U.S. adversaries. The White House Council of Economic Advisers estimated in 2018 that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.

To counter this threat, the DOD developed the CMMC, which is designed to be a “unifying standard for the implementation of cybersecurity across” the DIB (Defense Industrial Base) .

The CMMC framework includes a “comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level,” according to the DOD.

According to the Pentagon, the framework is designed to ensure that defense contractors “can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.”

Understanding NIST SP 800-171 Compliance vs CMMC Assessments.

  • Compliance with NIST SP 800-171 is required for any contractor or subcontractor that stores, transmits or processes Controlled Unclassified Information (CUI). This has been a requirement since 1 January 2018 and it is still a requirement under the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Compliance efforts consisted of “self-attestation” vs. a more traditional third-party auditor evaluation and this partially led to a low rate of compliance across the Defense Industrial Base (DIB).
  • Cybersecurity Capability Maturity Model (CMMC) certification is the US Government’s solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) recognizes that all contractors are not alike, as well as the nature of how subcontractors are used. The CMMC is a tiered model that addresses every business in the DIB, from the largest contractors down to small subcontractors (e.g., IT service providers, bookkeepers, janitorial services, etc.) that could impact CUI.
NIST logo
managed IT partnership

JK Managed CMMC Compliance benefits;

  • Detect your compliance needs and vulnerabilities with a  comprehensive risk assessment.
  • Automate data collection, analysis and documentation processes.
  • Identify appropriate remediation measures and highlight critical items or issues needing immediate attention.
  • Provide expert technical support and guidance you can put your trust in.
  • Secure and protect your business and its data from new or evolving threats and sophisticated cybercriminals.
  • Generate detailed records and reports to demonstrate and validate Due Care or Evidence of Compliance requirements.
  • Deliver and manage all the above for a variety of regulatory standards with our simple, budget-friendly CaaS solution.

CMMC Levels and Associated Focus

The achievement of higher CMMC levels enhances the ability of an organization to protect CUI (Controlled Unclassified Information) and for Levels 4-5, reduces the risk of APTs (Advanced Persistent Threats).

CMMC Level 1

  • Safeguard Federal Contact Information (FCI).
  • Processes: Performed, Level 1 requires that an organization performs the specified practices.
  • Practices: Basic Cyber Hygiene, Level 1 focuses on the protection of FCI.

CMMC Level 2

  • Transition step in maturity progression to protect CUI.
  • Processes: Documented, Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts.
  • Practices: Intermediate Cyber Hygiene, Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 (4) as well as practices from other standards and references.
cmmc chart
compliance framework

CMMC Levels and Associated Focus

CMMC Level 3

  • Processes: Managed, Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.
  • Practices: Good Cyber Hygiene, Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 (4) as well as additional practices from other standards and references to mitigate threats.

CMMC Level 4

  • Processes: Reviewed, Level 4 requires that an organization review and measure practices for effectiveness.
  • Practices: Proactive, Level 4 focuses on the protection of CUI from ATP’s and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B (6) as well as other cybersecurity best practices.

CMMC Level 5

  • Processes: Optimizing, Level 5 requires an organization to standardize and optimize process implementation across the organization.
  • Practices: Advanced/Proactive, Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

Visit the CMMC website

Take the first step towards your CMMC Compliance and give us a call.

Together we will put a plan in place that will turn your business technology systems into effective, efficient components that will increase productivity and contribute to the continued growth of your company.

Contact us to arrange a 15 minute no obligation virtual meeting to see how much JK Consulting can save your business.