11/22/2022 | News release | Distributed by Public on 11/22/2022 04:01
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity training, certification, and assessment program from the United States Department of Defense (DoD). CMMC is designed to provide increased assurance to the DoD that a contractor can adequately protect controlled unclassified information (CUI), including accounting for information flow to subcontractors in a multi-tier supply chain.
The CMMC security framework governs Defense Industrial Base (DIB) contractors. Compliance with the CMMC framework incorporates processes and security implementations of several U.S. federal cybersecurity standards such as the National Institute of Standards and Technology (NIST), Federal Acquisition Regulation (FAR), and Defense Federal Acquisition Regulation Supplement (DFARS). If your organization wants to be a U.S. DoD contractor, it must comply with CMMC.
With CMMC compliance, an organization can ensure continuous monitoring and upgrading of cybersecurity to prevent a bad actor from successfully executing malicious attacks. CMMC will protect data shared within the defense industry that the DIB uses to produce parts, systems, and components for national defense. DIB contractors hold and use sensitive government data to develop and deliver these goods and services. The CMMC helps contractors ensure that they secure this information by using identical processes implemented by military departments and civilian government agencies.
CMMC helps DIB organizations:
If a DIB does not meet minimum CMMC level requirements, it may be unable to bid on DoD contracts and lose that source of revenue. In extreme cases, a DIB could even face business closure. Noncompliance may also expose the DIB to other cyber threats. Engaging with the CMMC compliance process now will help guide your DIB toward a more secure future.
The CMMC 1.0 framework was published in January 2020 and updated as CMMC 2.0 in November 2021. CMMC 2.0 is published on the DoD CMMC website.
The intent of CMMC 2.0 is to streamline the original framework by reducing the number of compliance requirements and processes to simplify how DIB contractors self-certify their compliance. The key changes between CMMC 1.0 and CMMC 2.0 are:
The transition from CMMC 1.0 to 2.0 can be seen in the image below:
Source: https://www.acq.osd.mil/cmmc/about-us.htmlQualys Policy Compliance (PC) is a cloud-based tool that provides DIB contractors with a holistic view of CMMC compliance posture using mandate-based reporting against the CMMC 2.0 framework.
The screenshots below provide a sense of how easy it is to instantly see CMMC compliance posture and where remediation may be required.
Figure 2. Mandate List in Qualys PlatformFigure 3. Overall Summary of compliance against CMMC 2.0 Level 1Figure 4. Section practices wise compliance postureFigure 5. Compliance against CMMC 2.0 Level 2The Cybersecurity Maturity Model Certification framework is a critical requirement for U.S. Defense Industrial Base contractors to ensure that sensitive information is protected from malicious attacks throughout the supply chain. The framework also helps contractors to streamline compliance - but even the new slimmed-down CMMC 2.0 can be a major challenge without using a tool to automate its many moving parts. The cloud-based Qualys Policy Compliance tool will help a DIB contractor immediately get the full picture of CMMC compliance posture and simplify processes to achieve full compliance with this federal mandate. You can learn more about Qualys PC on our website. We also invite you to get a free trial of the PC by clicking here or by contacting your Qualys Technical Account Manager.
Enhancements to Control Mappings for Mandate Based Reporting
Control Mappings for Mandate Based Reporting