CMMC

A Cybersecurity Maturity Model Certification (CMMC) is a certification requirement for companies doing business with the Department of Defense (DoD). TrustNet’s security experts have the knowledge and experience to ensure that clients can earn the CMMC certification.

WHAT IS CMMC ?
The CMMC was created by the DoD to enhance the security posture of the Defense Industrial Base (DIB) sector. The framework allows for the standardization of cybersecurity best practices and processes to protect the security and data of their networks.
WHO CAN PROVIDE CMMC CERTIFICATION ?

Only a Third Party Assessment Organization (C3PAOs) can provide a CMMC Certificate. Certified third parties must meet the stringent DoD requirements to be allowed to perform CMMC assessments.

HOW LONG IS AN ASSESSMENT VALID FOR ?
Each CMMC certificate will be valid for 3 years.
WHAT LEVEL OF CMMC MUST I ACHIEVE TO DO BUSINESS WITH THE DOD ?

Every DoD RFI (Request for Information) or RFP (Request for Proposal) will list the CMMC level required to meet the minimum standard for that contract.

Each CMMC level requires a designated number of practices and processes. Each level is a building block to the next level, so to reach level 5 certification, it is necessary to first meet level 1 through 4 requirements.

THE 5 LEVELS OF CMMC

LEVEL 1

Process: Practices are performed in an ad-hoc manner, no process requirement.

Practice: Basic cybersecurity practices. Addresses the protection of FCI. 17 practices are required for the basic safeguarding requirements specified in 48 CFR 52.204.21.

LEVEL 2

Process: Policy and documentation of practice are required.

Practice: 65 of 72 of practices from NIST SP 800-171, including

● Audit log review
● Event detection and reporting
● Analyzing triaging event
● Incident response
● Incident RCA
● Data backup and testing
● Encrypted session for device management

LEVEL 3

Process: Organization must demonstrate management of practice implementation activities. Must address missions, goals, project plans, resourcing, required training, and involvement of stakeholders.

Practice: Each of the 110 control requirements of NIST SP 800-171 is required for this level. 13 new practices from other standards are added to Level 3, including:

● Defining procedures of CUI data handling
● Collecting audit info in central repositories
● Regular data backups
● Periodic risk assessments
● Cyber threat intel response plan
● Separate management of non-vendor-supported products
● Risk mitigation plan
● Email forgery protection
● Security assessment of enterprise software
● DNS filtering
● Sandboxing
● Restriction of CUI publication
● Spam protection mechanisms

LEVEL 4

Process: Effectiveness of practices is imperative for Level 4, as practices are measured and reviewed.

Practice: To protect Controlled Unclassified Information (CUI) from Advanced Persistent Threats (APTs), 26 practices are added to meet more stringent detection and response capabilities.

LEVEL 5

Process: The highest level, level 5 is focused on process standardization and optimization.

Practice: The remaining 15 practices increase the depth and sophistication of cybersecurity capabilities.

TrustNavigator™ our proprietary service approach:

l

PLANNING

project planning and management

SCOPING

risk assessment, identify relevant controls, gather info

TESTING

analysis, conduct testing, remediation roadmap

REPORTING

findings and recommendations, final report

Why Should I Choose TrustNet?

TrustNet has deep experience serving clients of all sizes, across multiple industries. We provide high quality professional services to help clients achieve CMMC certification quickly and efficiently.

Our Clients