Storagepipe Is Now Thrive

Learn More

GridWay Is Now Thrive

Learn More

Blog

Is your organization prepared for NIST 800.171 Certifications (CMMC)?

Is your organization prepared for NIST 800.171 Certifications (CMMC)?
05.21.24
By: Adam Pfeifer, vCIO, Thrive

The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s (Department of Defense) information security requirements for DIB (Defense Industrial Base) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors (Organization Seeking Certification – OSC). The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.  

Under CMMC guidelines non-federal organizations will be required to follow the proper security standards for overseeing the following. 

  • Federal Contracted Information (FCI)
  • Controlled Unclassified Information (CUI)

If your organization is not awarded a Level 1 or Level 2 CMMC Certification prior to the awarding of a contract, that contract will be denied.

The current certification processes are directed by CMMC Revision 2.0. There are three distinct levels that make up the certification process. A level determination for a client will be set by a DOD Contracting Officer.

Level 1: Is Foundational (basic safeguarding) of Federal Contracted Information (FCI) which consists of six domains covering seventeen practices

Level 2: Is Advanced (Advanced Security Requirements) of Controlled Unclassified Information (CUI) which consists of fourteen domains covering 110 practices.

Level 3: Is Expert which covers Controlled Unclassified Information (CUI) with a focus around (DIB) partners managing highly classified information. This level includes the current Level 2 practices and domain, including an additional set of controls not yet specified. The DoD estimates that less than .1% of active DIB Partners (about 160 companies) will require Level 3 Certifications.

Please note: Current certification is based upon Revision 2.0. As new revisions of the certification are released, many of the practices, while not being removed, may be reworked and adjusted to define the proper levels of certification.

How are CMMC Audits Performed?

Under the current guidelines of Revision 2.0 of CMMC with assignment from a DoD, a Contracting Officer to the Organization Seeking Certification (OSC) will dictate your certification Level requirements.

Level 1: – Foundational (Basic Safeguarding) of Federal Contracted Information (FCI) will require the OSC to fulfill all six domains and seventeen practices to achieve a certification. Level 1 Certifications will require the OSC to submit a self-assessment to the Suppliers Performance Risk System (SPRS). Level 1 Certifications, upon awarding of a contract, are good for annual certifications and will require submission of the self-assessment yearly. The DoD can conduct a full audit on the OSC seeking Level 1 Certification if there are any discrepancy concerns within the self-assessment submission.

Level 2: – Advanced (Advanced Security Requirements) of Controlled Unclassified Information (CUI) will require the OSC to fulfill all fourteen domain and 110 controls to achieve a certification. Level 2 Certifications will require the OSC to reach out to the Cyber-AB Marketplace (HTTPS://cyberab.org) and contact a C3PAO (CMMC Third Party Assessment Organization) in order to conduct a physical audit of the organization in order to receive certification. Level 2 Certification, upon awarding of a contract, are good for three years before re-certification is required by a C3PAO.

Level 3: – Expert will be required to fulfill all requirements for Level 2: (14 domain and 110 controls) plus an additional set of practices not yet defined. Level 3 Certifications will require a physical audit. However, due to the security nature of the organization seeking certification, the audit will be directly conducted by the DOD DIBCAC (Department of Defense – Defense Industrial Base Cyber Assessment Center). Level 3 Certification, upon awarding of a contract, are good for three years before re-certification is required by a DOD DIBCAC.

How does an Organization Seeking Certification (OSC) look to prepare themselves?

As Organizations prepare for their certifications, below are some key operations to start thinking about.

  • Proper organization and operational documents and policies aligning with physical, technical, and security operations.
  • Governance and Risk Compliance Operations and Programs
  • Technology and Security Operations:
    • Security Awareness and Anti-Malware Training Programs for end-users
    • Endpoint and infrastructure security operations
    • Mobile Device Management (MDM)
    • Email Filtering and Security Monitoring
    • Event Detection and Response (EDR)
    • Endpoint DNS Filtering
    • Vulnerability Operations
    • Two-Factor Authorization
  • Penetration Testing
  • Vulnerability Scanning
  • FedRAMP Compliant Services

Time is running out because organizations will be required to achieve a proper CMMC Certification to be awarded a contract. Organizations should reach out to a Registered Practitioner (RP) or Registered Practitioner Organization (RPO), which are individuals, or organizations certified by the Cyber-AB, to help with readiness for Level 1 and Level 2 Certification needs. Organizations can find this certified individual or group through the Cyber-AB Marketplace.

Contact Thrive today to learn more about how we can help you achieve proper CMMC Certification. Thrive has Certified RPs ready to help with readiness and planning.