CMMC Model

Get in front of the Cybersecurity Maturity Model Certification (CMMC) with Black Bottle Security. Backed by our Compliance Experts, we understand how CMMC will impact your organization and how to prepare.
So, how will CMMC impact your organization? Hold on to your seats… the first and maybe the more noticeable impact will be on re-competes. Your existing work could be up for grabs depending on which CMMC level is required by the contracting authority.

Achieving the CMMC is a framework that grades a company's cybersecurity on a scale of one (least secure) to five (most stringent).

 What businesses (contractors) will be asked to do is comply with a tiered rating system depending on the systems they will be working with the Department of Defense (DOD). 

For example, if you are working on janitorial services, you may only need to comply with Level 1 of CMMC, as opposed to a Level 3 which is equivalent to NIST 800-171 regulations, or a Level 4 that is reserved for exquisite systems.

Complying with CMMC is not Optional

Does my business really need to comply with CMMC if I don't deliver services directly to the DoD? 

Yes, in fact, every prime and subcontractor on a supply chain will be audited and certified under a CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).  This will benefit the security of contractors and the DIB, as well as help the DoD to avoid losses due to cyber breaches.   

The Maturity Levels of NIST 800-171/CMMC Compliance:

The CMMC will require third-party audits and certification for the DOD supply chain. This requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171. Implementing cybersecurity in DOD supply chains is based on the identification of five certification tiers.

Five Certification Tiers:

  1. CMMC Level 1 | Basic Cyber Hygiene | 17 security controls (NIST SP 800-171 rev 1)
  2. CMMC Level 2 | Intermediate Cyber Hygiene | 46 security controls (NIST SP 800-171 rev 1)
  3. CMMC Level 3 | Good Cyber Hygiene | 47 security controls (NIST SP 800-171 rev 1)
  4. CMMC Level 4 | Proactive | 26 security controls (NIST SP 800-171B)
  5. CMMC Level 5 | Advanced/Progressive | 4 security controls (NIST SP 800-171B)

What we understand about CMMC so far.

DOD contractors will have to be certified to the CMMC level required in advance to pre-bid to even be eligible to bid.
The intent of the CMMC is to combine various cybersecurity controls standards like the DFARS NIST 800-171 and ISO 27001 and others into one unified standard of cybersecurity.
DOD contractors are expected to begin achieving certification sometime after June 2020 -- which means if you have not achieved NIST 800-171 to date, your company is behind.
Version 1.0 of the CMMC framework will be available January 2020 to support training requirements.
In June 2020, the industry should begin to see the CMMC requirements as part of the Request for Information process.