Here are the most significant areas of CMMC to consider if you are already meeting DFARS 7012 and NIST 800-171.
To pass a Level 3 audit, companies will be assessed on their ability to meet and demonstrate all practices (130 broken down below) to address Levels 1, 2, and 3. This will include technical architecture and solutions, along with written policies.
CMMC and DFARS 7012 collectively consists of three basic requirements:
As Scott Edwards, President of Summit 7, stated in a previous presentation on CMMC Level 3 "If you're NOT NIST 800-171 compliant, go back and do that. You can't tackle CMMC if you are not NIST compliant; it's also just practicing basic cyber hygiene".
Upon NIST 800-171 compliance, there are an additional 10 technical and 10 procedural practices to implement to achieve CMMC Level 3 compliance.
A few examples:
To start with a proper understanding of L3, watch this 20 min excerpt from the most watched CMMC Level 3 discussion on YouTube.
SIEM solutions to meet incident response requirements:
Summit 7 Preferred: Microsoft Azure Government Sentinel
Resilient data backup and restoration solutions meeting FedRAMP Moderate standards and able to backup Office 365 GCC High:
Summit 7 Preferred: AvePoint and Azure Backup
Summit 7 Preferred: OpenDNS
SPAM and Email protections:
Summit 7 Preferred: Office 365 GCC High Exchange Online Protection and ATP
Summit 7 has architected a complete solution set to help organizations achieve CMMC Level 3 compliance. The set is developed within Office 365 GCC High and Azure Government as part of the initiative to protect the warfighter and keep the Defense Industrial Base secured.
You can learn more about it here.
As the image below represents, meeting Level 3 requires organizations to practice "Good Cyber Hygiene", while actively "managing" security processes. CMMC officials, including Katie Arrington of the Office of the Under Secretary of Defense (OUSD), have publicly stated the majority of defense contractors will need to certify at Level 1 on the outset. Nevertheless, most prime contractors and many of their subs in the DIB will need to meet Level 3, as it most closely aligns to the preexisting requirements of DFARS 7012. This is especially true for organizations that more regularly handle Controlled Unclassified Information (CUI) or interact with more sensitive data sets. Access a more detailed explanation and overview of CMMC, as well as history and background here.
If you still have questions about CMMC Level 3, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.
Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance: