Part 1: Laying the Groundwork for Achieving Certification

In June of this year, my colleague Tom Taylor wrote about the DoD’s announcement to instate the Cyber Security Maturity Model Certification (CMMC) and elaborated on the fact that, with the CMMC, the DoD appears to be addressing our customers’ core compliance pain points:

  • Varying standards – It’s not always easy to read and/or interpret the DFARS standards. Under the new CMMC compliance, there will be ONE unified DoD cybersecurity standard that combines NIST SP 800-171, NIST SP 800-53, AIA MAS 9933, FIPS and others. In other words: one standard, one maturity model.
  • Varying levels of security – CMMC requirements will not be “all or nothing.” There will be a range of CMMC compliance. RFPs will reflect what level is needed by DoD for each contract.
  • Affordability – Security will now be an allowable cost on DoD contracts.
  • Supply chain verification – CMMC third-party certifiers will have the tools able to conduct audits and collect metrics and risk management information for the entire supply chain.

Since its announcement in May, the DoD kicked-off a “listening tour” to solicit feedback from the Defense Industrial Base sector, according to the CMMC website.

As the questions and comments roll in, the federal team at Tripwire will be providing a three-part blog series to address our customers’ concerns and offer guidance on how to prepare between now and the time that companies start to see the CMMC requirements as part of Requests for Information (January 2020).

As part one of this series, I want to address what will likely be the first part of the CMMC process for any organization – its security level rating.

According to the DoD:

Your company will specify [to an independent third-party commercial certification organization] the level of (Read more...)