CMMC: Cybersecurity Maturity Model Certification

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is the US Government's method to audit compliance with NIST SP 800-171. Various government agencies, including the Department of Defense (DoD) contractors, need to meet these requirements. Cybersecurity Maturity Model Certification is a program initiated by the United States Department of Defense (DoD) in order to measure their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. At a high level, the framework is a collection of processes, other frameworks, and inputs from existing cybersecurity standards such as NIST, FAR, and DFARS.

At a tactical level, the primary goal of the certification is to improve the surety and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal contractors. The CMMC program was announced on January 31, 2020.

Conservative estimates reveal up to 300,000 organizations will need to comply with CMMC. Many of those are not traditional defense contractors. Many potentially impacted organizations are due to third parties' trickle-down effect that can affect Controlled Unclassified Information (CUI) confidentiality where it is stored, transmitted, or processed.

Who needs CMMC?

CMMC certification is required for prime contractors and subcontractors doing work for or on behalf of the Department of Defense. CMMC is needed to improve and ensure the safeguarding of sensitive data, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) associated with federal contractors.

Who performs CMMC assessments?

Only Authorized and Accredited C3PAOs who are listed on the CMMC-AB Marketplace website will be able to conduct CMMC assessments. C3PAOs will use only Authorized and Certified CMMC assessors to conduct CMMC assessments.
SecureCircle is not involved in the assessment process.

The 5 Certification Levels of CMMC

There are five levels to the CMMC framework, each has its own specific set of practices that will be assessed during a CMMC audit.
1. Level 1 (Basic Cyber Hygiene) - requires that an organization performs the specified practices.
2. Level 2 (Intermediate Cyber Hygiene) - requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts.
3. Level 3 (Good Cyber Hygiene) - requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation.
4. Level 4 (Proactive) - requires that an organization review and measure practices for effectiveness.
5. Level 5 (Advanced/ Progressive) - requires an organization to standardize and optimize process implementation across the organization.

The 5 Certification Levels of CMMC

How do I become CMMC compliant?

  • The first step is to ensure that you are NIST 800-171 compliant.
  • Plan accordingly with the timelines for CMMC.
  • Third-Party Assessment Organizations will play a key role in the CMMC compliance process. Therefore, becoming familiar with third-party assessment organizations is important.
  • Lastly, you should identify the level of compliance needed for your organization.

How SecureCircle Addresses CMMC

SecureCircle's persistent data security and frictionless impact on users and applications allow SecureCircle to be applied to broad data segments rather than only securing the most critical data. Additionally, SecureCircle enables granular control and permissions for users, admins, groups, devices, applications, and networks. Combining broad features and granular controls allows organizations to configure SecureCircle to meet security and compliance requirements.

Why do customers choose SecureCircle to meet CMMC requirements?

  • SecureCircle helps organizations meet over 40 controls and practices across eight domains needed to obtain Level 3 certification.
  • Transparent and frictionless to users and applications. SecureCircle meets CMMC requirements without impacting users. This transparent approach means that user behavior does not need to change, and applications do not need to integrate in any way to take advantage of the control, and security SecureCircle delivers.
  • Rapid and straightforward deployment. SecureCircle is a SaaS and endpoint agent architecture, enabling fast and straightforward deployment. No DLP rules to create or alerts to manage. Just define a Circle and allow users and applications to access data. There is no dependency on discovery or classification.
  • Reduce cost and complexity. SecureCircle has a simple per-user pricing model that reduces our customers' costs. SecureCircle further reduces costs and reduces complexity by avoiding the need for multiple products, software integrations, and ongoing security controls administration.

SecureCircle enables organizations to achieve CMMC

SecureCircle allows organizations to achieve CMMC requirements without any additional burden on user or business workflow.  Users continue to operate without any knowledge SecureCircle is securing CUI and CMMC data.  Organizations can deploy SecureCircle without training users on new workflows.

Domain Certification Number CMMC Requirements SecureCircle
Level 3
Access Control AC.3.017 Seperate the duties of individuals to reduce the risk of malevolent activity without collusion. SecureCircle Brand Assets
AC.3.018 Prevent non-priviledged users from executing privileged functions and capture the execution of such functions in audit logs. SecureCircle Brand Assets
AC.3.019 Terminate (automatically) user sessions after a defined condition. SecureCircle Brand Assets
AC.3.014 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. SecureCircle Brand Assets
Audit and Accountability AU.3.045 Review and update logged events. SecureCircle Brand Assets
AU.3.046 Alert in the event of an audit logging process failure. SecureCircle Brand Assets
AU.3.051 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. SecureCircle Brand Assets
AU.3.052 Provide audit record reduction and report generation to support on-demand analysis and reporting. SecureCircle Brand Assets
ID and Authentication IA.3.085 Prevent the reuse of indentifiers for a defined period. SecureCircle Brand Assets
IA.3.086 Disable identifiers after a defined period of inactivity. SecureCircle Brand Assets
Media Protection MP.3.123 Prohibit the use of portable storage devices when such devices have no identifiable owner. SecureCircle Brand Assets
Security Assessment SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. SecureCircle Brand Assets
SC.3.182 Prevent unauthorized and unintended information transfer via shared system resources. SecureCircle Brand Assets
SC.3.185 Implement cryptography mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. SecureCircle Brand Assets
SC.3.187 Establish and manage crytographic keys for cryptography employed in organizational systems. SecureCircle Brand Assets
SC.3.190 Protect the authenticity of communications sessions. SecureCircle Brand Assets
SC.3.191 Protect the confidentiality of CUI at rest. SecureCircle Brand Assets

Domain Certification Number CMMC Requirements SecureCircle
Level 2
Access Control AC.2.005 Provide privacy and security notices consistent with applicable CUI rules. SecureCircle Brand Assets
AC.2.006 Limit use of portable storage devices on external systems. SecureCircle Brand Assets
AC.2.007 Employ the principle of least privilege, including for specific security functions and priviledged accounts. SecureCircle Brand Assets
AC.2.008 Use non-priviledged accounts or roles when accessing nonsecurity functions. SecureCircle Brand Assets
AC.2.009 Limit nonsuccessful login attempts. SecureCircle Brand Assets
AC.2.010 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. SecureCircle Brand Assets
AC.2.013 Monitor and control remote access sessions. SecureCircle Brand Assets
AC.2.015 Route remote access via managed access control points. SecureCircle Brand Assets
AC.2.016 Control the flow of CUI in accordance with approved authorizations. SecureCircle Brand Assets
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. SecureCircle Brand Assets
AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. SecureCircle Brand Assets
Configuration Management CM.2.063 Control and monitor user-installed software. SecureCircle Brand Assets
ID & Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. SecureCircle Brand Assets
IA.2.079 Prohibit password reuse for a specified number of generations. SecureCircle Brand Assets
IA.2.081 Store and transmit only cryptographically-protected passwords. SecureCircle Brand Assets
Media Protection MP.2.121 Control the use of removable media on system components. SecureCircle Brand Assets
Personnel Security PS.2.128 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. SecureCircle Brand Assets
Risk Management RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. SecureCircle Brand Assets
RM.2.143 Remediate vulnerabilities in accordance with risk assessments. SecureCircle Brand Assets
Level 1
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of unauthorized users, or devices (including other information systems). SecureCircle Brand Assets
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. SecureCircle Brand Assets
AC.1.004 Control information posted or processed on publicity accessible information systems. SecureCircle Brand Assets
ID and Authentication IA.1.076 Identify information system users, processes acting on behalf of users, or devices. SecureCircle Brand Assets
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems. SecureCircle Brand Assets
Get SecureCircle's Compliance Guide

Ready to Get Started?

Secure your source code

Secure Your Source Code

Learn more about how SecureCircle secures Source Code for customers.

Read the Case Study
CMMC icon

Cybersecurity Maturity Model Certification

SecureCircle helps organizations meet over 40 controls and practices to obtain Level 3 certification.

Learn More