Hello, and welcome back to this next TomCast from Iron Bow Technologies; we are a leading global IT solution provider dedicated to innovation with integrity. We successfully transform today's technology challenges into business opportunities, helping our clients meet their missions while gaining a competitive edge. 

Today we’re going to continue the discussion on the Cybersecurity Maturity Model Certification, otherwise known as CMMC, but this portion of the discussion will center around CMMC version 2.0, and what is required for level 1 certification.

As mentioned during the last TomCast, there are three levels of certification within CMMC version 2.0, and Level 1 is the Foundational level. Level 1 (foundational) contains 15 security control requirements and requires annual self-assessments and annual affirmation. What does this mean in more depth?

The following information was pulled directly off of the Department of Defense website regarding CMMC, and that site URL is https://dodcio.defense.gov/CMMC/Assessments:

“Overview of Assessments

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0: Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards. Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments. The highest priority, most critical defense programs (Level 3) will require government-led assessments.

Self- Assessments

The Department views Level 1 as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Self-assessments will suffice to meet CMMC Level 1 requirements. Likewise, a subset of programs with Level 2 requirements do not involve information critical to national security, and associated contractors will be permitted to meet the requirement through self-assessments.

Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The Department intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).”

So, as we plainly heard, level 1 requires self-assessments against clearly articulated cybersecurity standards. But wait, what are those standards? Those standards are found also on that same site, the dodcio.defense.gov site (search for CMMC 2.0 level 1). Now, as of the composition of this TomCast (I say that because the entire CMMC process is currently being reviewed and changes could be made), level 1 requires passing assessments that span across six of the NIST 800-171 security control families.  Those security control families are:

• AC, or Access Control
• IA, or Identification and Authentication
• MP, or Media Protection
• PE, or Physical Protection
• SC, or Systems and Communication Protection, and
• SI, or Systems and Information Integrity

So, as you have heard, CMMC version 2.0 level 1 certification will require annual self-assessments on the controls laid out in the six specified control families in the NIST Special Publication 800-171. Use your web browser of choice, fire up your search engine of choice, and type in CMMC version 2.0 level 1 certification. There are quite a few results that will pop up, for the definitive information you will need look for the Department of Defense sites to get clear information on what you will need.

If you have any questions surrounding CMMC, reach out to us over here at Iron Bow Technologies. We have the expertise to help you understand the requirements of the Department of Defense and how CMMC will benefit you and your organization. We’re also here to help any way we can to ensure your organization remains as secure as possible.

We here at Iron Bow thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what Iron Bow can do for you, head on over to www.ironbow.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!