The Cybersecurity Maturity Model (CMM) Certification is an internationally recognized standard for evaluating cybersecurity readiness, risk management, and continuous improvement. CMM is a collaborative effort between the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).
CMM Certification is a global standard that provides a common language for cybersecurity professionals to communicate and measure their organization’s cybersecurity capabilities. CMMC is used by organizations across all sectors to assess their risk management systems and identify areas for improvement.
This article answers some of the most frequently asked questions concerning the implementation of CMMC and celebrates some of the best examples of innovation and leadership by highlighting real-world advice from the most engaged organizations.
You’ll find tips and tools for CMMC implementation, including planning and assessment, in the answers below. Addressing the most frequently asked questions in a way that is most useful and manageable, this provides advice on how to tackle the concepts and areas identified as being the most problematic.
How do we remain up to date with CMMC domains, capabilities practices?
To meet the compliance requirements found in NIST 800-171, DFARS 7012 and CMMC, monitor the security controls for FedRAMP, DoD Impact Levels, and CMMC. Support and build the roadmap and liaise with Engineering teams on requirements for TAG, MRC and CMMC compliance certification attainment. Define key compliance requirements for hosting technologies including compute and storage components, virtualization and segmentation capabilities. Ensure your organization remains on the forefront of industry changes as regulations associated with CMMC change and act as the principal advisor to upper management in Cybersecurity matters, and protection, detection and threat prevention capabilities. Work with (internal) clients to test for compliance with various prevailing regulatory laws, requirements, and standards including Sarbanes-Oxley, SOC2, GDPR, CCPA, PCI DSS, ISO 27001, CMMC, etc.
Are you prepared for the upcoming DoD cybersecurity audit program?
To be prepared for your cybersecurity audit ensure your cybersecurity engineers have excellent communication and program management skills to help lead and implement all corporate program governance and program management lifecycle processes regarding cybersecurity risk, policy, and governance. Develop and execute security awareness and education programs to ensure consistently high levels of compliance with enterprise security documents. Ensure the the team is responsible for (un)classified systems cybersecurity compliance by facilitating and document physical, procedural/operational and technical security controls for the purpose of complying with regulatory standards and industry best practices such as internal policies, Cyber DFARS, CMMC, and yet unforeseen rules instituted by the DoD. Manage all audit work and associated activities related to IT operations, systems implementations, digital initiatives, and technology asset management (team guidance and supervision, business and IT relationships, engagement planning, scoping, budgeting, efficient execution, reporting and communication) and IA modernization initiatives (including analytics, intelligent automation, IA enablement tools, etc.
Adapt: what needs to be included in management for Cybersecurity?
Adapt Cybersecurity to provide support to incident response management teams in order to inform management of current status or work activities. Manage your supply chain risk management framework, including identification and prioritization of all risk factors impacting data protection and the confidentiality, integrity and availability of systems and data, covering NIST Cybersecurity Framework (CSF), NIST Special 800-171, NIST SP 800-53, ISO 27001, and General Data Protection Regulation (GDPR). Funding investments need to be secured in evaluating, contracting and deploying a variety of security technologies that include: End-Point, privileged account protection, web and email filtering, malware management, MFA and MDM, SOC managed services contracting and oversight, administration, advanced protection and detection systems.
Where is your organization at in its CMMC journey?
To explore where your organization is in its CMMC journey, help (internal) clients to implement and establish NIST 800 171 and CMMC requirements. For example, implement and improve Secure Software Development Lifecycle (SSDL) across organizational teams. Develop and implement an information security management framework that aligns with your organization, risk profile, and existing compliance initiatives and efforts and align your cybersecurity program with not only CMMC, but regulatory and industry compliance requirements and best practices as FARS/DFARS, NIST 800 171, FedRAMP, and CCPA.
What should you be doing now to prepare for CMMC?
To prepare CMMC for the Cybersecurity maturity model Certification (CMMC) assessor, be able to conduct cyber risk assessments using frameworks or standards like NIST CSF, ISO 7001/, PCI, Top 0, or other industry measurement tools. Design policy requirements and link them to relevant standards, regulations, and laws for enhanced compliance and control /01, NIS, NIST, CMMC, ISO, PCI, CSA etc. Convert assessing internal and program compliance with all imposed DFARS and CMMC requirements to effectively prepare for future external DoD (DCMA) and/or internal company audits, and improve overall program and environmental security posture.
What if you have no idea what CMMC is or at what level your organization needs to be?
Stay current on the changing regulatory environment and understand the impacts to your organization. Manage quality assurance metrics and operationalize the corporate CMMC quality management processes. The manager must have experience and competence with the applications/subsystems/networks in a multi office organization. Work directly with the Operations/Security team to audit current organization processes and internal documentation to ensure compliance with governmental and industry standards.
Have your organization invest in the CMMC standard by assessing system compliance against NIST SP, NIST SP 171, and CMMC controls. Create and curate the risk assessments required of the CMMC program. Lead teams performing assessments of Organizations (OSC) under the CMMC process. Ensure there is experience with ITIL, COBIT, NIST, or other IT and cybersecurity frameworks. Develop gap analysis between CMMC controls and your organization and solutions suitable for the OSCs environment and delegate responsibilities for maintaining security tools both internal to the network and on the perimeter of the network in accordance with Cybersecurity Maturity Model Certification level standards.
Do they have technical experience implementing NIST/CMMC controls?
They need to have experience in Project management to be able to identify, document, and map technology processes and internal controls. Conduct risk assessments to help prioritize security controls deployment. Develop experience leading soc, CMMC, fedramp or similar audits and/or certifications. Establish appropriate mitigating controls and assess the effectiveness of controls. Develop experience managing large scale vulnerability management and configuration hardening processes. Perform periodic testing of organizational information resources and supporting security infrastructure to ensure security controls are in place and effective.
How do you find out your potential subs certified CMMC levels?
To ensure your certified levels, lock in leadership investing in cybersecurity (NIST, CNSSI CMMC, SOX FISMA, FEDRAMP, etc. Provide guidance and leadership in monitoring CMMC and compliance and write regular reports on the status of CMMC and compliance to remain on the forefront of industry changes as regulations associated with the cybersecurity maturity model certification (CMMC). Work with (internal) clients to test for compliance with various prevailing regulatory laws, requirements, and standards including sarbanes-oxley, GDPR, ccpa, pci dss, iso 27001, CMMC, etc. Have a designated Information Systems Security Manager in preparing and seeking approval for network accreditation and Cybersecurity Maturity Model Certification (CMMC) in compliance with DoD requirements who has experience implementing and assessing these the following industry standards: NIST SP, FedRAMP, NIST Cybersecurity Framework, Cybersecurity Maturity Model Certification (CMMC), Cloud Security, HIPAA, PCI-DSS, and ISO 27000 series.
When will you need to have CMMC in place?
To get CMMC in place, invest in CMMC assessments and gap analysis on your IT Systems. Develop experience leading soc, CMMC, fedramp or similar audits and/or certifications. Maintain the endpoint infrastructure for the Cybersecurity Maturity Model Certification (CMMC) program. Invest in the coordination of technical activities and the development of new or expanded CMMC services. Produce reports in compliance with CMMC standards and issue certification documents certifying CMMC standards. Prepare for, participate in, and support security certification and NIST based compliance audits FISMA, FedRAMP, CMMC, etc. Participate in cybersecurity, technology risk, and privacy assessments and audits against industry standards as CMMC, ISO, NIST remains on the forefront of industry changes as regulations associated with the cybersecurity maturity model certification (CMMC). Provide support as required to requests for information for the IT Audit, SOX Controls testing, DFARS/CMMC Assessments, GDPR, Customer Audits, and other audit support.
Does your organization know what it needs to do?
To help your organization understand security recommend and implement processes to foster deterrence, education and awareness of Insider and Outsider Risk to the broader organization. Ensure the risk management focus is taking a customer resilience lens that promotes a digital strategy while maintaining soundness of your organization. Ensure your organization is bringing together individuals with diverse backgrounds, talents, and expertise, that are vital to making your organization stronger. Lead management, collaborate with other business units and Corporate staff in Security, IT, and other departments to develop and implement efficient and appropriate technology, user training, processes, procedures, and compliance programs that are integrated seamlessly with day-to-day operations of your organizations complete computing infrastructure.
About the Author: Gerard Blokdyk is the CEO of The Art of Service. Learn more at https://theartofservice.com.