Understanding Cybersecurity Maturity Model Certification
The introduction of the Cybersecurity Maturity Model Certification "CMMC" Framework on January 31, 2020 marks a bold new undertaking. The new framework brings with it an expectation that DoD contractors and sub-contractors meet one of five levels of cybersecurity preparedness. Assessments will be performed by independent organizations with recertification projected to occur anew every three years once a required baseline is met.
FAQ: Answers to Some Other Questions.
Who will perform the assessment?
Short answer: right now NO ONE.
Long answer: at some point in the near future the CMMC accreditation body will implement a process to credential reviewers. Once that credential is obtained by a reviewer they will be able to provide certification services.
What level of certification will be required?
Again according to the Department of Defense FAQ:
"The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs)"
What should I be doing?
Review the framework. Treat it as a series of questions and honestly answer where your organization stands currently. Begin to consider what actions you can take to meet the desired level of compliance. If you don’t have the resources or time internally to complete this internal evaluation find an external resource that can advise on actions you should take. Then use the next six months or year to work towards deploying the policies, processes and technology needed.
How often will it have to be done?
According to the Department of Defense FAQ:
"In general, a CMMC certificate will be valid for 3 years"
Many key decisions remain but there are several things we do know.
- The initial framework and an update has been made public. Follow this link to the most current version :
- An accreditation body has been created and authorized through a memorandum of understanding with the Department of Defense to create a credentialing program for trainers. Follow this link to learn more:
- A list of frequently asked questions is maintained on the Department of Defense website with answers to some common questions on the website. Follow this link to view the Depart of Defense FAQ page:
Cybersecurity Maturity Self Assessment
A very simple self assessment for assessing NIST SP 800-171 and level one cybersecurity maturity.
Online Events and Seminars
There are currently no events that we are aware of. But, as we know more so will you. Please keep in touch - Sign-up for our CMMC update.
Do You Have a Question Not Covered Here?
Well, try us. If it's not mentioned here, we'll research it and get back to you while updating our website. Thank you for your contribution.
Who Are We? Learn More About Our Firm:
Saltmarsh, Cleaveland and Gund is one of the largest CPA-led business advisory firms in the Southeast, serving clients throughout the U.S. and worldwide from offices across Florida and in Nashville, Tennessee. The firm has been recognized as one of the Top 200 Firms in the U.S. by INSIDE Public Accounting, a Regional Leader by Accounting Today and named one of Forbes' Top Recommended U.S. Tax Firms.
Saltmarsh offers a full range of professional services, including specialized consulting services for many industries and high net worth individuals with investment management affiliate, Saltmarsh Financial Advisors, LLC.