CMMC - Cybersecurity Maturity Model Certification - NQA

More about the CMMC standard:

The various levels of CMMC include increasing levels of practices focused on the handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These levels are based on the sensitivity of the information to be protected and the associated range of threats that may be encountered. The processes and practices map to various existing cybersecurity standards and frameworks including ISO 27001 and NIST 800-171.

Five primary levels of CMMC standards address various cyber uses to ensure the appropriate measures are taken for each situation. These levels are as follows:

• Level 1 – Basic Cyber Hygiene (Performed) – 17 practices
• Level 2 – Intermediate Cyber Hygiene (Documented) – 72 practices
• Level 3 – Good Cyber Hygiene (Managed) – 130 practices
• Level 4 – Proactive Cyber Hygiene (Reviewed & Improved) – 156 practices
• Level 5 – Advanced Cyber Hygiene (Optimized) – 171 practices

As with other cybersecurity standards, CMMC is organized into domains:

Access Control	Asset Management	Audit & Accountability		Awareness & Training	Configuration Management
Identification & Authentication	Incident Response	Maintenance		Media Protection	Personnel Security
Physical Protection	Recovery	Risk Management		Security Assessment	Situational Awareness
System & Communications Protection			System & Information Integrity

How to Implement CMMC

The CMMC certification system essentially operates with each level's requirements adding to those beneath it. For example, Level 3 would require you to meet Level 1 and 2 requirements and those of Level 3 to receive certification. For each level, you must complete a set of practices and processes. The capabilities domains included are:

• Risk Management (RM)
• Asset Management (AM)
• Incident Response (IR)
• Access Control (AC)
• Maintenance (MA)
• System and Communications Protection (SC)
• Security Assessment (CA)
• System and Information Integrity (SI)
• Configuration Management (CM)
• Media Protection (MP)
• Awareness and Training (AT)
• Situational Awareness (SA)
• Audit and Accountability (AU)
• Personnel Security (PS)
• Recovery (RE)
• Physical Protection (PE)
• Identification and Authentication (IA)

To help you meet your industry's standards, we can provide gap analysis quotes to identify your current situation and the steps you will need to take to move toward certification.