Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a framework which has been  developed by the U.S. Department of Defense (DoD) to improve the security practices of its supply chain.  In order to protect against cyber threats, defence contractors and other organisations that handle controlled unclassified information (CUI) are required to meet a set of cybersecurity standards and practices to adopt appropriate cybersecurity measures.

In November 2021, the DoD announced ‘CMMC 2.0’ an updated programme structure (with three levels replacing the previous five) and requirements designed to achieve the primary goals of its internal CMMC review.  The three CMMC levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).  Each level builds on the previous one, with the highest level requiring organisations to implement more advanced and comprehensive cybersecurity practices.   Organisations which handle CUI on behalf of the DoD are required to achieve compliance or certification at the level which corresponds to the type and sensitivity of the information they handle.

The CMMC framework incorporates a range of cybersecurity practices and controls, including the development of policies and processes, access control, incident response management, and security awareness training.  There are also provisions for third-party assessments and audits to ensure that supply chain organisations are meeting the required standards.

While both CMMC and ISO 27001 are focussed on information security and the protection of sensitive information, they are intended for different audiences and have different goals.  ISO 27001 is a general standard which can be applied to any organisation, whereas CMMC is specific to the U.S. DoD and its contractors.  Key differences include:

• ISO 27001 is more high level which, with its sister Standard ISO 27002, provides general guidance on information security practices.  CMMC, however, is more detailed and specific, with three levels which require increasingly advanced and comprehensive cybersecurity practices.
• ISO 27001 can be applied to any organisation, regardless of industry or sector.  CMMC, on the other hand, is specific to the DoD and organisations which process CUI on its behalf.
• ISO 27001 certification is, in the main, voluntary and organisations can choose to be externally assessed in order to demonstrate conformance with the Standard.  However, CMMC certification is mandatory for those organisations that handle CUI on behalf of the DoD and also wish to work with the DoD and, depending on the level, are required to either self-certify or externally assessed.

Gap Analysis

With our CMMC gap analysis, URM will assess your organisation's current cybersecurity practices and identify any gaps or weaknesses that need to be addressed in order for you to meet the requirements of the CMMC framework.

Typically, URM’s gap analysis involves the following steps:

• During the discovery and scoping phase, URM will help establish whether there is a requirement either through the processing, storage or transmission of CUI or Federal Contract Information (FCI) or meeting a specified client requirement and then map, at a high level, the data journey to determine the system scope and the sites/locations in scope.  One of URM’s senior consultants will guide you through the CMMC framework in order for you to understand the specific cybersecurity practices and controls that are required at each of the 3 levels of the CMMC framework.
• URM will then assess your organisation's current cybersecurity practices and controls to identify any gaps or weaknesses that need to be addressed.  This involves an evaluation of the maturity of your current controls including technology (e.g., firewalls and intrusion prevention systems) policies and processes (e.g., access control and incident management) and people (e.g., awareness training) controls.
• Following our assessment of your cybersecurity practices, URM will identify any specific cybersecurity practices which need to be improved or enhanced in order to fully meet the requirements of the CMMC framework.  URM will specifically identify any gaps between the current maturity level and the maturity required to achieve the identified CMMC level.  
• The final stage will involve URM working with you to develop a plan (including actions and milestones) to address any identified gaps and improve your cybersecurity practices and be able to consistently demonstrate the maturity (evidence) of the CMMC implementation programme.  As part of the plan, we will help you identify the resources and support which will be needed to implement the required changes.

Implementation

Having conducted a gap analysis, URM can provide hands-on support to implement any identified improvements and how to demonstrate the appropriate level maturity by building up the expected evidence.  URM can design and specify the necessary controls and specify the evidence required to assist you in implementing, owning and operating the necessary controls.

Certification Support

URM is able to support the certification audit, where required, to ensure the controls are appropriately represented and the necessary audit evidence is available and explained.