Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Cybersecurity Maturity Model Certification (CMMC) and Why You Should Care
  • Data Breach

Cybersecurity Maturity Model Certification (CMMC) and Why You Should Care

5 years ago Steven Tipton
Cybersecurity Maturity Model Certification (CMMC) and Why You Should Care

The U.S. Department of Defense released the first version of the Cybersecurity Maturity Model Certification (CMMC) back on January 31, 2020. Since that time, there has been a flurry of different industry experts working towards helping clients understand and prepare for getting certified under CMMC. But what is it?

The Cybersecurity Maturity Model Certification (CMMC)

If you are familiar with NIST 800-171, then you are ahead of the curve. NIST 800-171 was created to allow companies that had contracts with the Department of Defense to show they were protecting Controlled Unclassified Information (CUI). This included personal and confidential data that resided on non-federal systems that are being operated on behalf of a federal agency. Initially, contractors were allowed to self-certify that they met the NIST 800-171 requirements. CMMC version 1 seeks to change that by requiring a third-party assessment of the contractor’s compliance with CMMC and by mandating that the contractor demonstrate their capability to adapt to evolving cyber threats against CUI.

This new CMMC requirement will affect over 300,000 different companies from large system integrators to simple mom-and-pop shops that might provide cleaning services. Does this mean that each contractor will be required to meet the same standards? No, there will be five tiers based upon function that different contractors will have to meet. Each tier increases the requirements, so a contractor at Tier 2 would have to meet Tier 1 & 2 requirements, while a company at Tier five would have to meet all the requirements for Tier 1-5. Each tier establishes a different level of cybersecurity maturity.

The 5 Levels of CMMC

  • Level 1 covers the basic safeguarding of contractor information systems as listed in FAR Clause 52.204.21. It provides for things such as limiting systems to authorized users only, limiting to certain types of transactions and ensuring federal contract information is sanitized or destroyed properly. It will correspond to the 17 security requirements from NIST 800-171r1. Level 1 only has to meet 17 total practices to be compliant.
  • Level 2 takes Level 1 further by requiring greater cyber hygiene to protect CUI by applying an additional 48 controls from NIST 800-171r1. CUI by definition is “Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.” Level 2 has an additional 55 practices over Level 1 for a total of 72 practices.
  • Level 3 takes CMMC to the next step and requires “good cyber hygiene” to protect CUI. It encompasses all practices from NIST SP 800-171r1. This brings the total practices for Level 3 to 130 practices requires. This Level includes the need to document each practice from the lower levels. Also, vendors will need to be able to show that they have adopted a plan that includes all activities for maintaining compliance.
  • Level 4 requires that contractors review and measure all their practices, and it establishes response procedures to changing techniques and procedures for advanced persistent threats. Included in the compliance requirements are additional practices from the draft of NIST SP 800-171B, requiring a total of 156 practices for compliance. Policy and planning should include all activities. Organizations will need to review and measure these activities and share their findings with upper level management.
  • Level 5 requires that a company meet all previous levels and have a standard process in place for the organization to respond to and defend against advanced persistent threats. This will include that each practice from Levels 1-4 be documented. A written plan for Level 5 will include all the activities and a have process to review and measure them for effectiveness. A standardized documented approach should be used across the organization.

CMMC is coming – be prepared

So, when will this be measured?  The first round of RFP’s that include CMMC are expected to drop in September 2020. It will then be dependent on when the DoD awards the contract. CMMC is coming, and it’s important to prepare now instead of later. This affects every member of the of the Defense Industrial Base. Implementing NIST 800-171 will help in establishing the technical controls for CMMC.

If you are already a Tripwire Enterprise customer, you can download the CMMC policy compliance technical controls off our Tripwire customer center to help prepare for your CMMC audit.

If not, you can learn more about how to be prepared for CMMC here: https://www.tripwire.com/solutions/solutions-by-industry/government/cmmc-compliance-with-tripwire/.

The post ” Cybersecurity Maturity Model Certification (CMMC) and Why You Should Care” appeared first on TripWire

Source:TripWire – Steven Tipton

Tags: Goverment, TripWire

Continue Reading

Previous Meeting the Challenges of Remote Work with Chrome OS Policy Settings – Part II
Next CDRThief Malware Targets VoIP Gear in Carrier Networks

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

3 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

5 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

6 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

10 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

12 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
  • Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT