Compliance
CMMC Compliance
The Cybersecurity Maturity Model Certification (CMMC) is a DoD Framework designed to enable the Defense Industrial Base (DIB) to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Aligned with other federal cybersecurity guidelines, especially those from NIST, it gives a clear process to improve cybersecurity for organizations serving national security. IoT and OT are explicitly included (“Specialized Assets”).
Get a Demo
Achieve CMMC Compliance
Why is CMMC Compliance Important?
CMMC is one of the more complex frameworks for cybersecurity compliance, with three levels and different checks for each one. The common Level Two has 110 components out of a maximum 134. IoT and OT are in scope of CMMC, as defined in 32 CFR Part 170.
Required for Contracting
US Department of Defense (DoD) contractors (and subcontractors) handling sensitive unclassified information will see a required CMMC level in their contracts.
Defense Ready
CMMC helps organizations serving the US national security mission safely handle unclassified information.
NIST-Aligned
To the extent possible, CMMC aligns with NIST SP 800-171 (and parts of 172). This eases the burden of having to comply with multiple, uncoordinated cybersecurity frameworks.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a DoD Framework designed to enable the Defense Industrial Base (DIB) to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Aligned with other federal cybersecurity guidelines, especially those from NIST, it gives a clear process to improve cybersecurity for organizations serving national security. IoT and OT are explicitly included (“Specialized Assets”).
Specific, Protective, Program-Oriented
CMMC helps Organizations Operate Securely
Recognizing the breadth of the Defense Industrial Base (DIB), CMMC supports a wide set of commitments to mature and methods for demonstrating compliance.
Maturity Levels
CMMC supports 3 different maturity levels, each of which has a different level of required checks. These checks span 14 categories, of which Level 3 has a maximum of 134 checks. A typical organization is going to benchmark themselves against each of these level to see where they are starting. They would then commit to getting to the next level up.
Assessment Methods
There are 3 levels of assessment in CMMC: Self-attestation at Level 1, Third-Party (consulting firm) validation at Level 2 and Government-led validation for Level 3. The great majority of organizations wanting CMMC will seek Level 1 or Level 2.
What are the checks and how does Asimily help?
Each check is a specific-NIST based programmatic security control. There are 14 categories:
Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Asimily assists deliver on specific checks from within this list via a combination of software capabilities, advisory services, or both.
Our Gartner Peer Insights Reviews
