The Cybersecurity Maturity Model Certification (CMMC) standard outlines the safeguards that the US Department of Defense (DoD) requires when Controlled Unclassified Information (CUI) is transferred from government information systems to third-party systems, particularly those of DoD prime contractors and subcontractors in the defense industrial base (DIB).
The CMMC divides its 171 controls (called practices by the CMMC) into 17 control domains. It also correlates each practice with one of 43 capabilities to offer additional structure. Each practice is relevant to one of the CMMC’s five maturity levels, and it applies to all higher levels as well.
The cmmc requirements Assessment (CA) domain practices instruct DIBs to examine their present information security programs and produce a system security strategy (SSP) to guide the execution and improvement of “specified security needs” (controls). At greater degrees of maturity, it is also required that DoD suppliers systematically analyze their current security postures to improve and remain ahead of developing threats.
Eight practices are included in the Security Assessment domain: three at CMMC Level 2, two at Level 3, and three at Level 4. In addition, three capabilities are defined by this domain:
- Create and maintain a security plan for your computer system.
- Controls to define and manage
- Review the source code.
The Security Assessment domain practices are concerned with assessing, testing, and enhancing your security posture. It all starts with your SSP and extends to extensive testing of systems and apps, which may necessitate enlisting third-party assistance. It’s also important to report to management and assist in continuous risk assessments.
All of this will be new to many SMBs in the DIB that do not already have official security strategies. Creating component/service inventories and developing data flow diagrams to enable vulnerability assessments, establish how to segregate networks, and other tasks may take a substantial amount of time, especially if you need to attain Level 3 or Level 4. To complement your new Security Assessment methodology, you may also require new software tools.
Your security posture will be influenced by your ability to conduct security assessments. While it may be tempting to “wing it” or create an SSP from a template in order to check the box, this will jeopardise your CMMC certification efforts. As a Registered Provider Organization (RPO) for DIB orgs pursuing CMMC certification and/or NIST 800-171 compliance, Pivot Point Security specialises in aiding SMBs in assessing cyber security and compliance threats and determining the best strategy to reach their goals.
