CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
Entrust facilitates CMMC compliance so contracting networks can continue to support DoD and other government agencies.
Cybersecurity Maturity Model Certification (CMMC) is a program established by the U.S. Department of Defense (DoD) to secure and protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring the certification of external contractors across 17 different domains, each with five specified levels of certification.
CMMC is a unified standard for implementing cybersecurity across DoD’s contracting network, which includes over 300,000 companies in the supply chain. CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems.
- Release date was January 1, 2020.
- The DoD began incorporating CMMC requirements into select RFPs / RFIs as of November 30 , 2020.
- By October 1, 2025, all DoD contract awards will require at least some level of CMMC certification. And while DoD was the catalyst for CMMC, it is now gaining traction across the Defense Industrial Base (DIB), including the Department of Homeland Security and other federal government departments and agencies – especially post SolarWinds.
Are you prepared for CMMC compliance?
Historically, contractors were responsible for implementing, monitoring, and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems.
Starting November 30, 2020, DoD began incorporating CMMC requirements into select RFPs, RFIs, and research contracts. By October 1, 2025, all DoD contract awards will require at least some level of CMMC certification. The majority of the defense industry will likely require Level 3 or higher certification, on a possible scale of 1 (basic) to 5 (advanced). CMMC changes the DIB market paradigm by requiring thirdparty assessments of contractors' compliance with certain mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats from adversaries. Entrust’s digital security portfolio including identity, certificate, and data protection solutions facilitates compliance with 11 CMMC domains across the five possible levels of certification.
Key questions to determine what level of maturity your organization needs
Is the organization handling basic information, such as Federal Contract Information (FCI)? Or is it Controlled Unclassified Information (CUI)? FCI requires a Level 1 certification, but CUI requires at least a Level 3 and above.
Where are the gaps between the organization’s current cybersecurity stance and the desired CMMC level? A gap assessment will be invaluable for defining a plan of action and milestones toward achieving CMMC cybersecurity maturity.
CMMC encompasses the security requirements specified in NIST SP 800-171, as well as additional requirements from other standards and sources, which varies by certification level. What will a gap assessment reveal about the organization’s current level of cybersecurity hygiene?
Keep in mind the ultimate goal of CMMC: Keeping FCI and CUI out of the hands of malicious cyber attackers.
CMMC Capability Domains
Entrust is here to help
Entrust provides solutions to facilitate compliance with the following 11 CMMC domains:
- Establish system access requirements
- Control internal system access
- Control remote system access
- Limit data access to authorized users and processes
- Identify and document assets
- Manage asset inventory
- Define audit requirements
- Perform auditing
- Identify and protect audit information
- Review and manage audit logs
- Establish configuration baselines
- Perform configuration and change management
- Grant access to authenticated entities
- Manage maintenance
- Identify and mark media
- Protect and control media
- Sanitize media
- Protect media during transport
- Limit physical access
- Manage backups
- Manage information security continuity
- Define security requirements for systems and communications
- Control communications at system boundaries
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protection