Helping You Meet CMMC Compliance Standards
I.T. Matters works with organizations that must meet Cybersecurity Maturity Model Certification (CMMC) compliance to meet the requirements of the Department of Defence (DoD) for Cybersecurity readiness. To hold contractors and sub-contractors accountable for their cybersecurity practices, the DoD has implemented the Defense Federal Acquisition Regulation Supplement (DFARS) National Institute Standards of Technology (NIST) 800-171 Interim Rule.
The first step towards certification for your organization is to have I.T. Matters conduct a third-party Readiness Assessment to measure how close or how far away you are from meeting the requirements of CMMC compliance.
It is very important that your organization pass any CMMC audit on the first attempt. The I.T. Matters Readiness Assessment is designed to help discover inadequate system setups and processes that may not meet all of the CMMC required controls.
The I.T. Matters team will take a closer look at your network and procedures as a first step to ensuring compliance with the CMMC standards and guidelines. The results of the CMMC Readiness Assessment may reveal issues with:
- How access to information systems is controlled
- How managers and information system administrators are trained
- How data records are stored
- How security controls and measures are implemented
- How incident response plans are developed and implemented
Without this critical gap analysis, it’s impossible to know what changes your organization needs to make before it meets the required CMMC Level 1. I.T. Matters uses findings from the assessment to create a remediation plan that will aid in correcting any issues and challenges to ensure you successfully meet CMMC compliance the first time around.
CMMC Compliance Levels
CMMC combines various cybersecurity standards (NIST 800-171, 800-53, and more) and standard cybersecurity best practices to map these controls and processes across different maturity levels that range from basic cyber hygiene to more advanced levels.
I.T. Matters help those with CMMC compliance audits to meet the following CMMC levels and their respective requirements:
- Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for Level 1, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1. All contractors will be required to meet Level 1 of CMMC compliance. This level focuses on the protection of Federal Contract Information (FCI).
- Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for Level 2, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1, plus 7 new “Other” controls. This level focuses on documentation and policy requirements to prepare the contractor for further CMMC compliance requirements.
- Level 3 – “Good Cyber Hygiene” – In order to pass an audit for Level 3, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1, plus 13 new “Other” controls. For contractors who have access to Controlled Unclassified Information (CUI) Level 3 is the lowest required level of CMMC compliance. Any contractor with a DFARS clause in their contract will have to meet at least Level 3 requirements.
- Level 4 – “Proactive” – In order to pass an audit for Level 4, the DoD contractor will need to implement 11 controls of NIST 800-171 RevB, plus 15 new “Other” controls. This level focuses on measuring an organization’s incident detection and response capabilities. Level 4 focuses on protecting CUI and includes additional enhanced security requirements.
- Level 5 – “Advanced/Progressive” – In order to pass an audit for Level 5, the DoD contractor will need to implement the final 4 controls in NIST 800-171 RevB, plus 11 new “Other” controls. Level 5 is the highest level of CMMC compliance that can be achieved. At this level, organizations have implemented the most sophisticated and optimized cybersecurity practices to protect CUI.
We currently help organizations prepare for their CMMC Audit. I.T. Matters works with you to ensure you have all the requirements in place to pass your CMMC audit.