MEP Center Resources
for Cybersecurity Maturity Model Certification (CMMC)
What is NIST/CMMC?
We understand that MEP Centers have been tasked with educating small business about NIST/CMMC. This page offers information especially for you. The launch of the Cybersecurity Maturity Model Certification (CMMC) program serves as an important and necessary step in the advancement of our country’s ability to protect its people, military, industry, and more. Threats to our country’s information grow by the day, and adversaries are becoming more capable.
For businesses working with the Department of Defense (DoD), the threat grows. In order for companies to be awarded government projects, they will need to employ several information security solutions, and put policies into place that drive action for their organizations.
The CMMC program was created after a major breach of contractors and subcontractors and subsequently several government agencies. This program is designed to level-up the security of information shared by the Department of Defense and contractors and subcontractors and gives the Department enhanced confidence that CUI is being protected. Read below to learn more about CMMC 2.0, NIST, and DFARS.
The Structure of CMMC
CMMC measures cybersecurity at 3 levels, from Foundational to Expert. Businesses who only handle Federal Contract Information (FCI) will require Level 1. Businesses who handle Controlled Unclassified Information (CUI) will require Level 2. Level 3 exists to protect highly sensitive CUI and will be required by few contractors. For a complete overview:
About CMMC 2.0
In November of 2021, the Department of Defense announced plans for an improved CMMC 2.0 program. The goal of 2.0 is to maintain the initial program while reducing compliance challenges as much as possible.
The CMMC 2.0 program has three key features:
Tiered Model:
The CMMC program lays out the process for requiring protection of controlled unclassified information (CUI) that is shared with the Defense Industrial Base (DIB) and requires those companies trusted with national security information to meet the required cybersecurity standards at the appropriate level based on the type and sensitivity of the information.
Assessment Requirement:
CMMC assessments allow the DoD to verify that the defined cybersecurity requirements have been met.
Implementation Through Contracts:
Once CMMC is fully implemented and a contract has a CMMC requirement specified, contractors will be required to meet the appropriate CMMC level as a condition of the contract award.
NIST 800-171
NIST stands for the National Institute of Standards and Technology and NIST 800-171 establishes a set of standards and is a collection of regulations with the goal of protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. These sets of standards are applied to safeguarding and distributing information like personal information or intellectual property that is regarded as sensitive but not classified.
Compliance with the most recent revision of NIST 800-171 requires anyone working with CUI as part of the DoD, General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) to implement security procedures when handling controlled unclassified Information.
NIST Compliance is demonstrated with the use of a self-assessment against the 110 requirements outlined in NIST 800-171. Every one of the NIST controls has a weighted value associated with it. It’s either one point, three points, or five points. So you could have at best, a positive score of 110 or at worst, a negative 203 score. Scores must be submitted before contracts or renewals are awarded. Scores are registered in the DoD’s Supplier Performance Risk System (SPRS).
Consulting Support for CMMC Compliance
At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).
We also assist you in your guided self-assessment. We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget.
CORE Compliance Platform
Our consulting plans also include the CORE Security Suite to help you implement CMMC practices and maintain certification going forward.
Resources for MEP Centers:
Training for MEP Center Staff (video and online live training)
Free CMMC Guides for your customers
Cybersecurity Basics Training (video series)
Co-sponsored Webinars for CMMC topics
CMMC Remediation Consulting Services
CORE Vault a CUI Enclave Solution for Small Businesses
Video Library of CMMC Public Webcasts from 2024 and 2023 (from our webinars page) and upcoming live webinars that you can co-sponsor.
Contact us if you are interested in learning more about any of these resources.