Cybersecurity Maturity Model Certification (CMMC) is the US Government's method to audit compliance with NIST SP 800-171. Various government agencies, including the Department of Defense (DoD) contractors, need to meet these requirements. Cybersecurity Maturity Model Certification is a program initiated by the United States Department of Defense (DoD) in order to measure their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. At a high level, the framework is a collection of processes, other frameworks, and inputs from existing cybersecurity standards such as NIST, FAR, and DFARS.
At a tactical level, the primary goal of the certification is to improve the surety and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal contractors. The CMMC program was announced on January 31, 2020.
Conservative estimates reveal up to 300,000 organizations will need to comply with CMMC. Many of those are not traditional defense contractors. Many potentially impacted organizations are due to third parties' trickle-down effect that can affect Controlled Unclassified Information (CUI) confidentiality where it is stored, transmitted, or processed.
CMMC certification is required for prime contractors and subcontractors doing work for or on behalf of the Department of Defense. CMMC is needed to improve and ensure the safeguarding of sensitive data, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) associated with federal contractors.
Only Authorized and Accredited C3PAOs who are listed on the CMMC-AB Marketplace website will be able to conduct CMMC assessments. C3PAOs will use only Authorized and Certified CMMC assessors to conduct CMMC assessments.
SecureCircle is not involved in the assessment process.
There are five levels to the CMMC framework, each has its own specific set of practices that will be assessed during a CMMC audit.
1. Level 1 (Basic Cyber Hygiene) - requires that an organization performs the specified practices.
2. Level 2 (Intermediate Cyber Hygiene) - requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts.
3. Level 3 (Good Cyber Hygiene) - requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation.
4. Level 4 (Proactive) - requires that an organization review and measure practices for effectiveness.
5. Level 5 (Advanced/ Progressive) - requires an organization to standardize and optimize process implementation across the organization.
SecureCircle's persistent data security and frictionless impact on users and applications allow SecureCircle to be applied to broad data segments rather than only securing the most critical data. Additionally, SecureCircle enables granular control and permissions for users, admins, groups, devices, applications, and networks. Combining broad features and granular controls allows organizations to configure SecureCircle to meet security and compliance requirements.
SecureCircle allows organizations to achieve CMMC requirements without any additional burden on user or business workflow. Users continue to operate without any knowledge SecureCircle is securing CUI and CMMC data. Organizations can deploy SecureCircle without training users on new workflows.
| Domain | Certification Number | CMMC Requirements | SecureCircle |
|---|---|---|---|
| Level 3 | |||
| Access Control | AC.3.017 | Seperate the duties of individuals to reduce the risk of malevolent activity without collusion. | |
| AC.3.018 | Prevent non-priviledged users from executing privileged functions and capture the execution of such functions in audit logs. | ||
| AC.3.019 | Terminate (automatically) user sessions after a defined condition. | ||
| AC.3.014 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | ||
| Audit and Accountability | AU.3.045 | Review and update logged events. | |
| AU.3.046 | Alert in the event of an audit logging process failure. | ||
| AU.3.051 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | ||
| AU.3.052 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | ||
| ID and Authentication | IA.3.085 | Prevent the reuse of indentifiers for a defined period. | |
| IA.3.086 | Disable identifiers after a defined period of inactivity. | ||
| Media Protection | MP.3.123 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | |
| Security Assessment | SC.3.177 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | |
| SC.3.182 | Prevent unauthorized and unintended information transfer via shared system resources. | ||
| SC.3.185 | Implement cryptography mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | ||
| SC.3.187 | Establish and manage crytographic keys for cryptography employed in organizational systems. | ||
| SC.3.190 | Protect the authenticity of communications sessions. | ||
| SC.3.191 | Protect the confidentiality of CUI at rest. | ||
| Domain | Certification Number | CMMC Requirements | SecureCircle |
|---|---|---|---|
| Level 2 | |||
| Access Control | AC.2.005 | Provide privacy and security notices consistent with applicable CUI rules. | |
| AC.2.006 | Limit use of portable storage devices on external systems. | ||
| AC.2.007 | Employ the principle of least privilege, including for specific security functions and priviledged accounts. | ||
| AC.2.008 | Use non-priviledged accounts or roles when accessing nonsecurity functions. | ||
| AC.2.009 | Limit nonsuccessful login attempts. | ||
| AC.2.010 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | ||
| AC.2.013 | Monitor and control remote access sessions. | ||
| AC.2.015 | Route remote access via managed access control points. | ||
| AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | ||
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | |
| AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | ||
| Configuration Management | CM.2.063 | Control and monitor user-installed software. | |
| ID & Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | |
| IA.2.079 | Prohibit password reuse for a specified number of generations. | ||
| IA.2.081 | Store and transmit only cryptographically-protected passwords. | ||
| Media Protection | MP.2.121 | Control the use of removable media on system components. | |
| Personnel Security | PS.2.128 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | |
| Risk Management | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | |
| RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | ||
| Level 1 | |||
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of unauthorized users, or devices (including other information systems). | |
| AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | ||
| AC.1.004 | Control information posted or processed on publicity accessible information systems. | ||
| ID and Authentication | IA.1.076 | Identify information system users, processes acting on behalf of users, or devices. | |
| IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems. | ||
Learn more about how SecureCircle secures Source Code for customers.
SecureCircle helps organizations meet over 40 controls and practices to obtain Level 3 certification.
