The Cybersecurity Maturity Model Certification (CMMC) combines various cybersecurity standards and best practices, and maps these controls and processes across different maturity levels from basic level cyber hygiene to advanced level. The goal is that for a given CMMC level, the controls and processes will reduce the risk of specific cyber threats. One goal of CMMC is for small businesses to be able to implement low-cost solutions to cyber threats.
Prerequisites
No specific prerequisites are necessary to take this CMMC training; however, it is recommended that students have some experience in the cybersecurity industry and/or have familiarity with other frameworks, like NIST and CIS. It is also recommended that students be working in a government/military position.
Course Goals
By the end of this course, students should be able to:
- Understand the CMMC v0.7 Framework
- Understand where CMMC is now
- Get started with NIST SP800-171
What is CMMC Certification?
The Cybersecurity Maturity Model Certification is a procedure developed by the U.S. Department of Defense (DoD) in an effort to ensure the security of the Defense Industrial Base (DIB). The DIB is a global industrial complex that allows research and development, design, production, delivery, and maintenance of military equipment including weapons systems and parts. There are over 100,000 DIB companies and subcontractors who work under contract with the DoD.
In 2019, the DoD announced its intention to create this type of evaluation and certification program for cybersecurity, and the CMMC was born. The program certifies that the contractors working under the DoD have controls implemented that protect sensitive government data including Federal Contract Information and Controlled Unclassified Information (CUI).
How Does the CMMC Program Work?
The CMMC is designed to verify that contractors working with the DoD have the appropriate levels of cybersecurity processes and practices to ensure the protection of CUI and basic cyber hygiene. The controls that are to be evaluated consist of 17 sections or domains, including areas such as Access Control, Awareness and Training, Incident Response, Personnel Recovery, Risk Management, and more.
When assessed, there are five cumulative levels of certification that organizations may receive. The levels range from basic hygiene to highly advanced controls. Every organization that intends to work with the DoD is required to be audited for compliance to the CMMC before bidding on a contract.
The five CMMC certification levels of cyber hygiene are as follows:
- Level 1: Basic
- Level 2: Intermediate
- Level 3: Good
- Level 4: Proactive
- Level 5: Advanced/Progressive
In the CMMC training course, students will dive into the specific control requirements of the 17 domains that are evaluated, as well as the definitions of each of the certification levels.
Why Take this CMMC Training Course?
Because the end goal of the DoD is that every contractor and subcontractor that wishes to conduct business with the DoD is CMMC certified, it’s essential that organizations understand the certification program and its requirements. Any individual or team of individuals who will be responsible for ensuring that proper cybersecurity controls are in place to be in compliance with CMMC standards should take this CMMC certification training course to become familiar with the program as well as the process of certification.
The purpose of this training course is to ensure that appropriate cybersecurity personnel have a working understanding of how to implement security controls and how to submit a request for CMMC certification. It’s also to ensure that those cybersecurity professionals know what the requirements mandated by the DoD are for CMMC certification, so they can be prepared when it is launched.
How Do Organizations Become Certified?
The CMMC program will be phased in for some contractors and organizations working with the DoD starting in September 2020. When the program is completely operational, all entities that conduct business with the DoD will have to be certified to continue. Contractors and subcontractors alike will have to meet one of the five CMMC certification levels, demonstrating they have implemented cybersecurity sufficiently through the completion of independent audits.
Organizations will be required to coordinate directly with independent auditing entities to request their CMMC assessments. The organizations must specify the level of certification they want to be certified for based on the type of business they intend to do for the DoD. Upon demonstration of the appropriate controls, maturity in capabilities, and organizational maturity to the satisfaction of the auditor, organizations will be awarded certification at the designated CMMC level.
