What is the CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for DoD acquisitions. The CMMC framework comes with a CMMC assessment and certification program to verify the implementation of security requirements, processes and practices.
The CMMC framework contains five maturity processes, 171 cybersecurity best practices, and progresses across five maturity levels. The CMMC maturity processes standardize consistent, repeatable, and quality activities. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguards at Level 1, broad protection at Level 3, and risk reduction from adversaries with sophisticated levels of expertise and significant resources, Advanced Persistent Threats (APTs) at Levels 4 and 5.
What The CMMC Accomplishes
The CMMC provides a roadmap for organizations doing business with the Department of Defense (DoD) to increase their security and to protect the DoD supply chain. The CMMC aims to establish the appropriate levels of security controls, and processes are in place to protect controlled unclassified information (CUI) on defense contractor systems. The CMMC institutionalizes cybersecurity and good cyber hygiene in organizations, so cyber defense activities are embedded or ingrained in an organization’s operations. The CMMC maturity levels set a measure of an organization’s CMMC institutionalization.
What is the CMMC Compliance Timetable?
- The release of the first version of the CMMC was in January 2020.
- In June 2020, the industry should expect to see CMMC requirements in Requests for Information (RFIs).
- In September 2020, contractors should see CMMC requirements as part of Requests for Proposals (RFPs).
- After December 2020, CMMC audits begin. Prime contractors will need to be certified by an accredited Third Party Assessment Organization (C3PAO) to bid on new RFPs.
Where Does the Securd Fit In CMMC?
Let’s review where Securd Web Gateway DNS filtering will enable you to achieve compliance at different certification levels.
Level 1: Safeguard Federal Contract Information (FCI)
Level 1 (SC.1.175) requires organizations to “monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of information systems.”
Since the DNS protocol is a fundamental function of system communication, a DNS firewall enables your organization to protect and control all aspects of DNS communication at external boundaries.
Level 3: Protect Controlled Unclassified Information (CUI)
If you require Level 3 of compliance or greater and don’t have a DNS firewall or DNS filtering protecting static IP sites and remote endpoints, you need to Get Started with getting Securd deployed.
Level 3 (SC.3.192) requires organizations to implement Domain Name System (DNS) filtering services. The requirement is security-oriented and not content-oriented. This requirement intends to reduce the organization’s attack surface and should materially reduce the possible number of domains and networks DNS will allow. Securd’s default block policy option, patent-pending zero-trust policy option, and geographic policies properly address this requirement.
Levels 4-5: Protect CUI and Reduce Risk of Advanced Persistent Threats (APT)
Level 4 (SC.4.199) requires organizations to utilize threat intelligence to block DNS requests from reaching malicious domains. With 10+ real-time security intelligence-driven categories, Securd delivers continuous protection from malicious domains used in ransomware, phishing, malware, and other cyber threats.
Level 4 (SC.4.229) requires organizations to utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization. With security-oriented content categories, Securd prevents access to high-risk websites such as Covid-19 scam websites and Pornographic sites. Organizations can create custom block and allow lists enforce granular control access to a minimal amount of necessary websites to conduct business.
Level 5 (SC.5.198) requires organizations to configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizationally defined boundaries. Securd DNS logging assures you maintain compliance with this requirement. Whether your DNS requests come from a static network or an off-network browser uses DoH, Securd logs, and stores all DNS requests for review and threat analysis.
Connect With Securd
Want to get into the details of CMMC compliance with Securd?
Contact Us today, and we’ll connect you with an authorized Certified CMMC consultant to get advice about your specific situation.