Cybersecurity Maturity Model Certification (CMMC)

The CMMC is a new security standard that applies to US Department of Defense (DoD) contractors working with Controlled Unclassified Information (CUI). It is intended to replace NIST 800-171 and the existing self assessment process, and will use third party assessment organisations to evaluate a contractors CMMC levels. The CMMC is being rolled out in a phased approach during 2021-2025. Magnitude 8 assists Australian businesses to be Defence-ready by assisting with NIST 800-171 and transitioning to the CMMC.

The CMMC model has 5 maturity levels, 1 being basic cybersecurity up to 5 for advanced cybersecurity. The model is cumulative and level 1 must be completed by all organisations. Level 1 is required if Federal Contract Information (FCI) is possessed but CUI is not possessed, transmitted or stored. Level 3 is the minimum level for the handling of CUI and includes all of the NIST 800-171 requirements. Levels 4 and 5 will be targeted at those supporting DoD critical programs.

Level 1: Basic cyber hygiene with limited resistance against data exfiltration, where processes such as incident response are carried out in an Ad hoc manner.

Level 2: Intermediate cyber hygiene with minor resistance against data exfiltration and where processes are documented.

Level 3: Good cyber hygiene with coverage of all NIS 800-171 r1 controls. Moderate resistance against data exfiltration. Processes are maintained and followed, with complete knowledge of cyber assets.

Level 4: Proactive and sophisticated cybersecurity practices such as Data loss prevention and Threat Hunting. Processes are periodically reviewed and improved.

Level 5: Advanced/Progressive cybersecurity practices, reserved for the most critical systems. Processes are continually improved.

For further information please see the CMMC FAQs provided by the Office of the Under Secretary of Defense for Acquisition & Sustainment.

If you’d like to organise a meeting to find out more and meet our team, please contact us.