Understanding Cybersecurity Maturity Model Certification

The introduction of the Cybersecurity Maturity Model Certification "CMMC" Framework on January 31, 2020 marks a bold new undertaking. The new framework brings with it an expectation that DoD contractors and sub-contractors meet one of five levels of cybersecurity preparedness. Assessments will be performed by independent organizations with recertification projected to occur anew every three years once a required baseline is met.

FAQ: Answers to Some Other Questions.

Who will perform the assessment?

Short answer: right now NO ONE.

Long answer: at some point in the near future the CMMC accreditation body will implement a process to credential reviewers. Once that credential is obtained by a reviewer they will be able to provide certification services.

What level of certification will be required?

Again according to the Department of Defense FAQ:

"The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs)"

What should I be doing?

Review the framework. Treat it as a series of questions and honestly answer where your organization stands currently. Begin to consider what actions you can take to meet the desired level of compliance. If you don’t have the resources or time internally to complete this internal evaluation find an external resource that can advise on actions you should take. Then use the next six months or year to work towards deploying the policies, processes and technology needed.

How often will it have to be done?

According to the Department of Defense FAQ:

"In general, a CMMC certificate will be valid for 3 years"

Resources

Many key decisions remain but there are several things we do know.

Cybersecurity Maturity Self Assessment

A very simple self assessment for assessing NIST SP 800-171 and level one cybersecurity maturity.

Access Control: SP 800-171 Security Family 3.1

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems).

User access security refers to the set of procedures by which authorized users access the system and unauthorized users are prevented accessing the system. Where to look: access control policy; account management procedures; access enforcement procedures; list of conditions for group and role membership.

Does the company use passwords?

Yes
No
Partially
Does Not Apply

Does the company have an authentication mechanism?

Yes
No
Partially
Does Not Apply

Does the company require users to logon to gain access?

Yes
No
Partially
Does Not Apply

Are account requests authorized before system access is granted?

Yes
No
Partially
Does Not Apply

Does the company maintain a list of authorized users, defining their identity and role and sync with system, application, and data layers?

Yes
No
Partially
Does Not Apply

Your notes and comments for 3.1.1:

3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.

Even authorized users are restricted to those parts of the system that they are explicitly permitted to use. This is based on their “need-to-know” and their role within the company. Where to look: access control policy; account management procedures; access enforcement procedures; security plan.

Do you use access control lists to limit access to applications and data based on role and/or identity?

Yes
No
Partially
Does Not Apply

Does the system allow for the separation of access control rights and enforcement of those rights?

Yes
No
Partially
Does Not Apply

Your notes and comments for 3.1.2:

Online Events and Seminars

There are currently no events that we are aware of. But, as we know more so will you. Please keep in touch - Sign-up for our CMMC update.

Do You Have a Question Not Covered Here?

Well, try us. If it's not mentioned here, we'll research it and get back to you while updating our website. Thank you for your contribution.

Loading Form...

Who Are We? Learn More About Our Firm:

Saltmarsh, Cleaveland and Gund is one of the largest CPA-led business advisory firms in the Southeast, serving clients throughout the U.S. and worldwide from offices across Florida and in Nashville, Tennessee. The firm has been recognized as one of the Top 200 Firms in the U.S. by INSIDE Public Accounting, a Regional Leader by Accounting Today and named one of Forbes' Top Recommended U.S. Tax Firms.

Saltmarsh offers a full range of professional services, including specialized consulting services for many industries and high net worth individuals with investment management affiliate, Saltmarsh Financial Advisors, LLC.

Saltmarsh Cleaveland & Gund Certified Public Accountants and Consultants