Defense contractors and their subcontractors are now expected to undergo a third-party audit to validate CMMC compliance and confirm that all NIST 800-171 standards for protecting controlled, unclassified information (CUI) have been met. 

To ease the burden of achieving compliance for this new standard, CMMC mapping can help your organization streamline compliance efforts by “mapping” your CMMC requirements to other compliance frameworks that your organization uses or is working toward implementing.

In today’s post, we’ll give an overview of what CMMC is, and how to map CMMC compliance demands to your existing compliance frameworks.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new compliance standard used by the U.S. government — specifically, the Department of Defense — to assess the cybersecurity of Defense Department contractors. CMMC defines five tiers of cybersecurity sophistication and then audits a contractor’s compliance to the appropriate tier.

The standards set forth in the CMMC come from the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 Revision 2, a standard meant to limit security risks in the government sector.

What are the CMMC Maturity Levels?

Before we discuss CMMC NIST 800-171 mapping to other frameworks, it’s important to explain the various CMMC levels so you can understand which level makes sense for your business. 

CMMC Level 1 –  Basic Cyber Hygiene 

Requires Defense Department contractors to implement 17 controls of NIST 800-171 Rev 1.

CMMC Level 2 – Intermediate Cyber Hygiene 

Requires Department of Defense (DoD) contractors to implement another 48 controls of NIST 800-171 Rev 1, plus seven more “Other controls.” 

CMMC Level 3 – Good Cyber Hygiene 

Requires DoD contractors to implement the final 45 controls of NIST 800-171 Rev 1, plus 13 additional “Other controls.”

CMMC Level 4 – Proactive Cybersecurity

Requires DoD contractors to implement 11 more controls of NIST 800-171 Rev 2, plus 15 additional “Other controls.”

CMMC Level 5 – Advanced/Progressive Cybersecurity 

Requires DoD contractors to implement the final four controls in NIST 800-171 Rev 2, plus 11 additional “Other controls.”

What is the difference between CMMC and CMM?

Compliance professionals may also have encountered the term “CMM” in their travels, and you may be wondering what the difference is between that term and “CMMC.” 

“CMM” stands for Capability Maturity Model, and it’s a compliance standard developed by the Software Engineering Institute (SEI). CMM was originally intended to be a methodology for software developers to build tools, increase maturity, and improve the software development process.

Today that concept is known as the Capability Maturity Model Integration, abbreviated as “CMMI.” CMMI has expanded beyond software development to include other industrial sectors, to help those businesses measure and improve their product capabilities and performance. 

As cybersecurity became a dominant challenge across all industries, the SEI began to reimagine CMMI as a foundation for better security, business continuity, and IT operational management. That led to the creation of the CERT Resilience Management Model, abbreviated as CERT-RMM — a process improvement model that shares a similar structure to CMMC. 

Both the CERT-RMM and CMMC address IT best practices, as well as an institutional process of maturity. So in essence, CMMC and CMMI are similar frameworks for different industrial sectors.

What’s the difference between CMMC and NIST?

For some time now, defense contractors have already had to abide by the cybersecurity requirements outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). That meant implementing the standards of NIST 800-171, which are the core of modern cybersecurity standards. 

On the other hand, CMMC is a more in-depth standard. It includes authentication for the security controls an organization has implemented to protect information systems and CUI. It also includes other cybersecurity risk management practices, such as incident response and continuous monitoring.

What happens if I’m not CMMC-compliant?

For defense contractors, CMMC compliance can mean the difference between eligibility to win Defense Department procurement contracts or not. Ultimately this could lead to loss of revenue and even having to close your business. On those grounds alone, CMMC compliance is not optional. 

There’s also a business imperative worth considering here. CMMC controls protect your infrastructure from cyber threats and data breaches. That means less risk for your business operations, and CMMC compliance also makes your business a more attractive supplier to any customer (government, corporate, or otherwise) because CMMC compliance demonstrates that you take cybersecurity seriously.

How much does CMMC certification cost?

The cost for CMMC certification varies depending on a number of factors, including but not limited to:

  • The certification maturity level you are attempting to receive
  • The size of your organization 
  • The number of locations where your business operates
  • Whether you require external support to prepare for your certification
  • The scope of your CUI (geographic locations, databases, applications, and networks involved in storing processing, or transmitting)

As an example, the cost for an organization with 250 employees and several locations, seeking CMMC Level 3 certification, could range from $80,000 to $190,000 depending upon the business’s maturity and the systems it already has in place.

How do my current frameworks map to CMMC?

NIST 800-171 sets the foundation for CMMC compliance. It’s also 100 percent mapped to NIST 800-53,  the standard guidelines for managing information systems that maintain any type of government data.

Where your map starts to change course depends on the specific requirements outlined for your DoD contract.  

If you’re seeking Level 4 or 5 CMMC certification, some of its control requirements go beyond NIST 800-171. That means you’ll need to look beyond 800-171’s foundational elements for mapping. 

Beyond Level 3, CMMC includes controls that link back to the following frameworks:

  • NIST 800-53, Rev. 4
  • CIS CSC 7.1
  • NIST Cybersecurity Framework
  • CERT RMM v1.2

If you’ve already achieved certification or accreditation for any of these frameworks, you’re already one step forward on your CMMC assessment. If not, you can likely combine your efforts for the additional certifications to see where your gaps are and kill two (or more) birds with one stone.

Of course, if you’re still managing all your compliance requirements with a spreadsheet, this could become a bit of a headache.

How ZenGRC can help you build your SSP 

If your organization works as a defense contractor, it must assure that it has done its due diligence to comply with all applicable NIST, DFARS, and CMMC compliance requirements. 

ZenGRC can help by relieving the burden of manually gathering documentation for CMMC compliance (and multiple other frameworks) via spreadsheets. 

ZenGRC can support a variety of compliance frameworks and security requirements, including FedRAMP, ISO, COSO, and more — helping you to cross-reference existing documentation you may already have in place to support CMMC mapping.

ZenGRC simplifies the self-assessment process by delivering a single, central dashboard to help you visualize your compliance stance, across all applicable frameworks; identifying the gaps in your cybersecurity program, and telling you how to fill them.

Our system also stores and organizes all related documentation, so it’s readily available when the time comes for third-party assessment organizations to audit your compliance.

Worry-free compliance and risk management is the Zen way! Learn how ZenGRC can help you simplify CMMC certification by booking a demo today.