Here are the most significant areas of CMMC to consider if you are already meeting DFARS 7012 and NIST 800-171.
To pass a Level 3 audit, companies will be assessed on their ability to meet and demonstrate all practices (130 broken down below) to address Levels 1, 2, and 3. This will include technical architecture and solutions, along with written policies.
CMMC and DFARS 7012 collectively consists of three basic requirements:
As Scott Edwards, President of Summit 7, stated in a previous presentation on CMMC Level 3 "If you're NOT NIST 800-171 compliant, go back and do that. You can't tackle CMMC if you are not NIST compliant; it's also just practicing basic cyber hygiene".
Upon NIST 800-171 compliance, there are an additional 10 technical and 10 procedural practices to implement to achieve CMMC Level 3 compliance.
A few examples:
To start with a proper understanding of L3, watch this 20 min excerpt from the most watched CMMC Level 3 discussion on YouTube.
SIEM solutions to meet incident response requirements:
Summit 7 Preferred: Microsoft Azure Government Sentinel
Resilient data backup and restoration solutions meeting FedRAMP Moderate standards and able to backup Office 365 GCC High or GCC:
Summit 7 Preferred: AvePoint and Azure Backup
Summit 7 Preferred: OpenDNS
SPAM and Email protections:
Summit 7 Preferred: Microsoft (Office) 365 GCC High Exchange Online Protection and Defender for Office 365
Summit 7 has architected a complete solution set to help organizations achieve CMMC Level 3 compliance. The set is developed within Microsoft (Office) 365 GCC High (or GCC) and Azure Government as part of the initiative to protect the warfighter and keep the Defense Industrial Base secured. Contact us about the CMMC Level 3 Solution set below.
As the image below represents, meeting Level 3 requires organizations to practice "Good Cyber Hygiene", while actively "managing" security processes. CMMC officials, including Katie Arrington of the Office of the Under Secretary of Defense (OUSD), have publicly stated the majority of defense contractors will need to certify at Level 1 on the outset. Nevertheless, most prime contractors and many of their subs in the DIB will need to meet Level 3, as it most closely aligns to the preexisting requirements of DFARS 7012; this will also hold true for higher education institutions, or research organizations handling sensitive information for the DoD. This is especially true for organizations that more regularly handle Controlled Unclassified Information (CUI) or interact with more sensitive data sets. Access a more detailed explanation and overview of CMMC, as well as history and background here.
Note: The release of the DFARS Interim Rule requires CMMC certification at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years (similar to DFARS 7019 and 7020 reporting requirements). Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts until September 30, 2025.
OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.
If you still have questions about CMMC Level 3, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.
Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance: