CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
Entrust facilitates CMMC compliance so contracting networks can continue to support DoD and other government agencies.
Cybersecurity Maturity Model Certification (CMMC) is a program established by the U.S. Department of Defense (DoD) to secure and protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring the certification of external contractors across 17 different domains, each with five specified levels of certification.
CMMC is a unified standard for implementing cybersecurity across DoD’s contracting network, which includes over 300,000 companies in the supply chain. CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems.
- Release date was January 1, 2020.
- The DoD began incorporating CMMC requirements into select RFPs / RFIs as of November 30 , 2020.
- By October 1, 2025, all DoD contract awards will require at least some level of CMMC certification. And while DoD was the catalyst for CMMC, it is now gaining traction across the Defense Industrial Base (DIB), including the Department of Homeland Security and other federal government departments and agencies – especially post SolarWinds.
Are you prepared for CMMC compliance?
Historically, contractors were responsible for implementing, monitoring, and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems.
Starting November 30, 2020, DoD began incorporating CMMC requirements into select RFPs, RFIs, and research contracts. By October 1, 2025, all DoD contract awards will require at least some level of CMMC certification. The majority of the defense industry will likely require Level 3 or higher certification, on a possible scale of 1 (basic) to 5 (advanced). CMMC changes the DIB market paradigm by requiring thirdparty assessments of contractors' compliance with certain mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats from adversaries. Entrust’s digital security portfolio including identity, certificate, and data protection solutions facilitates compliance with nine CMMC domains across the five possible levels of certification.
Key questions to determine what level of maturity your organization needs
Is the organization handling basic information, such as Federal Contract Information (FCI)? Or is it Controlled Unclassified Information (CUI)? FCI requires a Level 1 certification, but CUI requires at least a Level 3 and above.
Where are the gaps between the organization’s current cybersecurity stance and the desired CMMC level? A gap assessment will be invaluable for defining a plan of action and milestones toward achieving CMMC cybersecurity maturity.
CMMC encompasses the security requirements specified in NIST SP 800-171, as well as additional requirements from other standards and sources, which varies by certification level. What will a gap assessment reveal about the organization’s current level of cybersecurity hygiene?
Keep in mind the ultimate goal of CMMC: Keeping FCI and CUI out of the hands of malicious cyber attackers.
CMMC Capability Domains
Entrust is here to help
Entrust provides solutions to facilitate compliance with the following nine CMMC domains:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Maintenance (MA)
- Media Protection (MP)
- Recovery (RE)
- System and Communication Protection (SC)