Why is the CMMC being created?
The Department of Defense is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
Cybersecurity Maturity Model Certification
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”
Controlled Unclassified Information
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:
Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html
How can my organization become CMMC certified?
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
“We are grateful to GoldSky Security for performing our Enterprise Security Risk Assessment & NIST 800-171 Gap Assessment. The engagement proved to be invaluable in assisting LSI on our journey to attain CMMC accreditation. The onsite portion of the assessment was exceptional. It was evident the GoldSky Security team we worked with were extremely knowledgeable in Federal Security contracting space. The Threat out brief report they provided was extremely detailed which will help us transform our company into a security conscious culture that will dramatically reduce our risk over time. Thanks again! ”