What is Cmmc?
A new framework mandated by the federal government to characterize, measure, and reduce the cyber risk in digital supply chains. CMMC compliance will be required for any organization that wants to sell to the U.S. government, or is part of the U.S. government supply chain.
Comprehensive assessment process
Needs to scale across entire supply chain
What Does CMMC Mean for DoD Contractors?
Any vendor or contractor in the DoD supply chain will be required to meet CMMC compliance in order to continue working with the DoD. Contractors will require various levels of cybersecurity maturity. Requirements are relative to the supplier’s maturity level in the DoD supply chain depending on the CUI, or Controlled Unclassified Information, present.
CMMC Levels — Where Do You Stand?
The Cybersecurity Maturity Model Certification uses a simplified scoring system to identify an organization’s maturity and readiness, ranging from 1 and advancing to level 5. Each CMMC level builds on the last, with more prominent organizations within the DoD supply chain requiring more security and protection.
Automating CMMC Compliance
Black Kite spans the entire vendor risk management process for CMMC compliance and Supply Chain Risk Management. Implemented parameters include:
C032: Risk Management Capability, including
- RM.2.143 Remediate vulnerabilities in accordance with risk assessments
- RM.3.146 Develop and implement risk mitigation plans
- RM.5.155 Analyze the effectiveness of security solutions annually to address anticipated risks to the system and the organization based on current and accumulated threat intelligence
C033: Supply Chain Risk Management Capability, including
- RM.4.148 Develop and update as required in order to manage risks associated with the IT supply chain
CMMC compliance levels are presented based on the correlation between Black Kite’s technical report and requirements from international standards such as ISO27001, NIST 800-53, NIST CSF and NIST-171. Organizations can continuously measure internal compliance, alongside compliance levels of subcontractors.
Parse, Analyze, and Map results to CMMC Controls
Using the UniQuE Parser, upload vendor CMMC policies and process documents to:
- Understand which CMMC controls are met and which need more work
- Piece together existing gaps within the organization
- Compile Request for Information/Proposal (RFI/RFP) information quickly, without having to review documents line-by-line
Execute the same operation for subcontractors, ensuring they meet the requirements under C033: “Manage supply chain risk”.
Example: Black Kite’s CMMC Maturity Level: 97%
The Cybersecurity Maturity Model Certification (CMMC) is a standard for implementing cybersecurity in the Defense Industrial Base (DIB) aimed at measuring the maturity of an organization’s cybersecurity processes toward enhancing the protection of Federal Contract Information (FCI) and Controlled UnclassifiedInformation (CUI). The CMMC framework was developed in cooperation between the United States Department of Defense (DOD), DOD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the Defense Industrial Base (DIB) sector.
The mappings between the framework control items are intended to be an informative reference and do not imply or guarantee compliance with any laws or regulations. Users who have aligned their security program to one of these standards should not assume that by so doing they are in full compliance with the corresponding compliance standard.
|Audit and Accountability||100%||79%|
|Awareness and Training||100%||94%|
|Identification and Authentication (IA)||100%||100%|
|System and Communications Protection||98%||74%|
|System and Information Integrity||95%||85%|