The Cybersecurity Maturity Model Certification (CMMC) is a framework which has been developed by the U.S. Department of Defense (DoD) to improve the security practices of its supply chain. In order to protect against cyber threats, defence contractors and other organisations that handle controlled unclassified information (CUI) are required to meet a set of cybersecurity standards and practices to adopt appropriate cybersecurity measures.
In November 2021, the DoD announced ‘CMMC 2.0’ an updated programme structure (with three levels replacing the previous five) and requirements designed to achieve the primary goals of its internal CMMC review. The three CMMC levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Each level builds on the previous one, with the highest level requiring organisations to implement more advanced and comprehensive cybersecurity practices. Organisations which handle CUI on behalf of the DoD are required to achieve compliance or certification at the level which corresponds to the type and sensitivity of the information they handle.
Key Features of CMMC 2.0
The CMMC framework incorporates a range of cybersecurity practices and controls, including the development of policies and processes, access control, incident response management, and security awareness training. There are also provisions for third-party assessments and audits to ensure that supply chain organisations are meeting the required standards.
How does CMMC differ from ISO 27001?
While both CMMC and ISO 27001 are focussed on information security and the protection of sensitive information, they are intended for different audiences and have different goals. ISO 27001 is a general standard which can be applied to any organisation, whereas CMMC is specific to the U.S. DoD and its contractors. Key differences include:
- ISO 27001 is more high level which, with its sister Standard ISO 27002, provides general guidance on information security practices. CMMC, however, is more detailed and specific, with three levels which require increasingly advanced and comprehensive cybersecurity practices.
- ISO 27001 can be applied to any organisation, regardless of industry or sector. CMMC, on the other hand, is specific to the DoD and organisations which process CUI on its behalf.
- ISO 27001 certification is, in the main, voluntary and organisations can choose to be externally assessed in order to demonstrate conformance with the Standard. However, CMMC certification is mandatory for those organisations that handle CUI on behalf of the DoD and also wish to work with the DoD and, depending on the level, are required to either self-certify or externally assessed.
How can URM assist you?
With our CMMC gap analysis, URM will assess your organisation's current cybersecurity practices and identify any gaps or weaknesses that need to be addressed in order for you to meet the requirements of the CMMC framework.
Typically, URM’s gap analysis involves the following steps:
- During the discovery and scoping phase, URM will help establish whether there is a requirement either through the processing, storage or transmission of CUI or Federal Contract Information (FCI) or meeting a specified client requirement and then map, at a high level, the data journey to determine the system scope and the sites/locations in scope. One of URM’s senior consultants will guide you through the CMMC framework in order for you to understand the specific cybersecurity practices and controls that are required at each of the 3 levels of the CMMC framework.
- URM will then assess your organisation's current cybersecurity practices and controls to identify any gaps or weaknesses that need to be addressed. This involves an evaluation of the maturity of your current controls including technology (e.g., firewalls and intrusion prevention systems) policies and processes (e.g., access control and incident management) and people (e.g., awareness training) controls.
- Following our assessment of your cybersecurity practices, URM will identify any specific cybersecurity practices which need to be improved or enhanced in order to fully meet the requirements of the CMMC framework. URM will specifically identify any gaps between the current maturity level and the maturity required to achieve the identified CMMC level.
- The final stage will involve URM working with you to develop a plan (including actions and milestones) to address any identified gaps and improve your cybersecurity practices and be able to consistently demonstrate the maturity (evidence) of the CMMC implementation programme. As part of the plan, we will help you identify the resources and support which will be needed to implement the required changes.
Having conducted a gap analysis, URM can provide hands-on support to implement any identified improvements and how to demonstrate the appropriate level maturity by building up the expected evidence. URM can design and specify the necessary controls and specify the evidence required to assist you in implementing, owning and operating the necessary controls.
URM is able to support the certification audit, where required, to ensure the controls are appropriately represented and the necessary audit evidence is available and explained.
Why URM for CMMC?
URM has a 17-year track record of providing high quality consultancy and training support, assisting organisations improve their information and cyber security, as well as information governance posture and capabilities. A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards, such as SOC 2, CMMC and ISO 27001. Having assisted over 400 organisations to achieve world recognised standards, URM has worked with organisations of all sizes from micro businesses to multi-national organisations and from all the major market sectors.
URM is renowned for adopting a highly tailored and bespoke service, where its consultants are constantly striving to deliver sustainable solutions that meet both the current and future needs of the client organisation.
When transferring knowledge on meeting the requirements of CMMC URM can deliver this through various delivery mechanisms, i.e., through one-to-one support, workshops or training courses. Furthermore, when delivering remediation services to address gaps, URM’s support is tailored and flexible, based on the client’s requirements, internal knowledge and available resources. Support can be delivered on an activity-per-activity basis or where a consultant is allocated on a recurring basis, e.g., 1 day a week Such an engagement helps to ensure that remediation activities are followed through, remain compliant and that sufficient evidence for the audit is generated.
URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.
URM’s blog explains how the principles of confidentiality, integrity and availability (CIA) can help align your information security controls with best practice