The Cybersecurity Maturity Model Certification (CMMC) is a new regulatory framework that will soon be required for all contractors with the US Department of Defense (DoD). These contracts can be lucrative, but they’re hard to lock down without preferred status. For that, your business will need to work on getting certified through a qualified assessor accredited by the CMMC Accreditation Body (CMMC-AB).
Read on to learn about the role and responsibilities of CMMC-AB and all other significant stakeholders who play a part in CMMC enforcement.
What is the CMMC-AB and What Do They Do?
Working with the DoD in any capacity means taking the security of all Americans into your hands. The sensitive information you’re likely to come into contact with makes your own company’s cybersecurity critical to the functioning of the military and national security. That’s why CMMC certification encompasses more than just basic cybersecurity.
This guide will break down everything you need to know about the CMMC-AB and CMMC, including:
- What is CMMC-AB, and how do they relate to other stakeholders?
- What exactly is the CMMC, and what does full CMMC compliance comprise?
By the time we’re done, you’ll understand who you can contact to begin or complete your journey toward CMMC certification and lucrative DoD contracts (hint: it’s us).
Understanding the Responsibilities of the CMMC-AB
The CMMC Accreditation Body exists to accredit third-party organizations that, in turn, certify that other organizations are CMMC compliant. It’s a nonprofit organization based in Maryland that was founded in January of 2020. The primary function of the CMMC-AB is to connect businesses that are bidding for compliance with a qualified assessor.
There are multiple levels of assessor accreditation that the CMMC-AB currently offers. The most critical at this stage in the CMMC rollout is the Certified Third-Party Assessor Organization, also known as a C3PAO. To become certified as C3PAOs, organizations must be certified up to CMMC Level 3 in their own right (see below) and meet other criteria, such as full ownership by US citizens, general insurance coverage, and a proprietary licensing agreement.
The CMMC-AB provides an updated registry of C3PAOs and works to actively match target organizations seeking CMMC compliance with a C3PAO that meets their needs and means.
The Roles of Other DoD and DoD-Adjacent Stakeholders
The body that oversees the CMMC-AB and all matters about the CMMC is the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S). The OUSD-A&S exists to ensure safe and efficient operations of all military branches and the many varied contractors that comprise the Defense Industrial Base sector (DIB).
Other essential stakeholders are those involved in the CMMC’s source text publications, including:
- The Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) are both codified in the Code of Federal Regulations (CFR) and published by the Office of the Federal Register (OFR).
- Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is involved, along with various supplemental documents. These additional documents are all published by the National Institute for Standards and Technology (NIST).
Both of these organizations (the OFR and NIST) are populated by experts from various IT-related fields. These experts work together to create and enforce standards for DoD and other critical infrastructure industries.
Understanding Compliance with the CMMC Framework
When your company is assessed by a C3PAO or other organizational assessor accredited by the CMMC-AB, certification is tied to your CMMC framework implementation. As noted above, this framework is informed by several other standards from the NIST and other government agencies. It’s also uniquely accessible, especially when compared to other frameworks.
This is because the CMMC is divided into five “Maturity Levels” that allow for gradual adoption of its controls. Rather than requiring companies to implement the entire framework in one fell swoop, the CMMC provides a slower, stepwise progression. You are tested for that level’s respective practice at each level, along with a “Process” maturity goal (more on this below).
Beyond Maturity Levels, the other primary component of the CMMC is its scheme of security “Domains.” There are 17 in total, which break down into 43 Capabilities and 171 Practices.
Breakdown of CMMC Framework Maturity Levels
Each Maturity Level in the CMMC corresponds to a specific security focus, a Practice goal, and a threshold for Process maturity. These are then defined by how they’re instituted, including:
- Maturity Level 1 – This level regards installing protections for Federal Contract Information (FCI). Practices constitute “basic cyber hygiene.” Processes are just “performed.”
- Maturity Level 2 – This level involves preparing for the protection of Controlled Unclassified Information (CUI). Practices constitute “intermediate cyber hygiene.” Processes are “documented.”
- Maturity Level 3 – This level regards implementing full-scale, long-term protections for both FCI and CUI. Practices constitute “good cyber hygiene.” Processes are “managed” actively.
- Maturity Level 4 – The level shifts focus from CUI/FCI to Advanced Persistent Threats (APT). Practices must qualify as “Proactive.” Processes are now regularly “reviewed.”
- Maturity Level 5 – This level perfects safeguards for FCI/CUI and preventive measures for APT. Practices are “Advanced/Progressive.” Processes are continuously “optimized.”
The first three levels are checkpoints in terms of DoD requirements: CMMC Level 3 encompasses all of NIST SP 800-171 and a select few other controls. This level paves the way for the advanced protections at Level 4 and Level 5, for which assessment methods are in development.
Breakdown of CMMC Framework Security Domains
All of the CMMC Practices (or Controls) distributed across 17 Domains are based loosely on Requirement Families in the NIST SP 800-171. They break down as follows:
- Access Control (AC) – Comprising four Capabilities and 26 Practices
- Asset Management (AM) – Comprising two Capabilities and two Practices
- Audit and Accountability (AU) – Comprising four Capabilities and 14 Practices
- Awareness and Training (AT) – Comprising two Capabilities and five Practices
- Configuration Management (CM) – Comprising two Capabilities and 11 Practices
- Identification and Authentication (IA) – Comprising one Capability and 11 Practices
- Incident Response (IR) – Comprising five Capabilities and 13 Practices
- Maintenance (MA) – Comprising one Capability and six Practices
- Media Protection (MP) – Comprising four Capabilities and eight Practices
- Personnel Security (PS) – Comprising two Capabilities and two Practices
- Physical Protection (PE) – Comprising one Capability and six Practices
- Recovery (RE) – Comprising two Capabilities and four Practices
- Risk Management (RM) – Comprising three Capabilities and 12 Practices
- Security Assessment (CA) – Comprising three Capabilities and eight Practices
- Situational Awareness (SA) – Comprising one Capability and three Practices
- Systems and Communications Protection (SC) – Comprising two Capabilities and 27 Practices
- System and Information Integrity (SI) – Comprising four Capabilities and 13 Practices
Across all the Domains, Capabilities, and Practices, CMMC compliance can be a challenge. But working with a quality C3PAO accredited by the CMMC-AB, like RSI Security, can simplify it.
Simplify CMMC Compliance with a Quality C3PAO
The responsibilities of CMMC-AB pertain primarily to accreditation for C3PAOs, such as RSI Security. Your company is likely to deal less with the CMMC-AB and more with a C3PAO like us. Critically, not all C3PAOs are created equally. The team at RSI Security is happy to help your company with all elements of CMMC compliance, including assessment and building out all required controls. For solutions tailored to the specific compliance and cybersecurity needs of your company, contact RSI Security today!