Latest Analyst Report: The 2023 Gartner® Market Guide for Supplier Risk Management Solutions

Hero compliance cmmc

CMMC Compliance

CMMC and Third-Party Risk Management

In November 2021, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v2.0 of the Cybersecurity Maturity Model Certification (CMMC), a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks and to ensure that our entire national defense supply chain is secure and resilient.

CMMC requires companies to achieve certification against cybersecurity and controlled unclassified information (CUI) handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD.

All DoD suppliers must be certified in one of three levels, from Level 1 (Foundational) to Level 3 (Expert), based on the security requirements for controlled unclassified information (CUI) from FAR Clause 204-21, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and additional controls from NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.

Companies and Certified Third-Party Audit Organizations (C3PAOs) can leverage the Prevalent Third-Party Risk Management Platform with built-in questionnaires to assess against all three levels of CMMC certification.

CMMC Certification Levels Overview

  • Level 1 – Self-assessment performed by the supplier against 17 controls. This level of certification is considered foundational and for suppliers managing information that is not critical to national security.

  • Level 2 – A more advanced level of certification performed by third-party auditors against 110 controls in the NIST SP 800-171 standard. This level is considered for companies that have controlled unclassified information (CUI).

  • Level 3 – Considered an expert level for the highest-priority DoD suppliers, this level builds on Level 2 by adding a subset of NIST SP 800-172 controls on top. The federal government will conduct the audits for companies at this level.

Prevalent for CMMC Auditors

CMMC certified auditors can use the Prevalent Third-Party Risk Management Platform with all three levels of CMMC controls questionnaires included.

Prevalent for CMMC Responders

Suppliers and DoD contractors can use the Prevalent Third-Party Risk Management Platform to conduct a Level 1 and Level 2 self-assessments.

Align Your TPRM Program with ISO, NIST, SOC 2 and More

Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook cybersecurity

Meeting CMMC TPRM Requirements

Please see the table below for a summary of CMMC requirements by level, organized by NIST SP 800-171r2 Relevant Security Controls, that are included as built-in questionnaires in the Prevalent Platform. Information on Level 3 will be released by the US DoD at a later date and will contain a subset of the security requirements specified in NIST SP 800-172.

Access Control

Level 1

3.1.1 Authorized Access Control
3.1.2 Transaction & Function Control
3.1.20 External Connections
3.1.22 Control Public Information

Level 2

3.1.3 Control CUI Flow
3.1.4 Separation of Duties
3.1.5 Least Privilege
3.1.6 Non-Privileged Account Use
3.1.7 Privileged Functions
3.1.8 Unsuccessful Logon Attempts
3.1.9 Privacy & Security Notices
3.1.10 Session Lock
3.1.11 Session Termination
3.1.12 Control Remote Access
3.1.13 Remote Access Configurability
3.1.14 Remote Access Routing
3.1.15 Privileged Remote Access
3.1.16 Wireless Access Authorization
3.1.17 Wireless Access Protection
3.1.18 Mobile Device Connection
3.1.19 Encrypt CUI on Mobile
3.1.21 Portable Storage Use

Awareness & Training

Level 1

N/A

Level 2

3.2.1 Role-Based Risk Awareness
3.2.2 Roles-Based Training
3.2.3 Insider Threat Awareness

Audit & Accountability

Level 1

N/A

Level 2

3.3.1 System Auditing
3.3.2 User Accountability
3.3.3 Event Review
3.3.4 Audit Failure Alerting
3.3.5 Audit Correlation
3.3.6 Reduction & Reporting
3.3.7 Authoritative Time Source
3.3.8 Audit Protection
3.3.9 Audit Management

Configuration Management

Level 1

N/A

Level 2

3.4.1 System Baselining
3.4.2 Security Configuration Enforcement
3.4.3 System Change Management
3.4.4 Security Impact Analysis
3.4.5 Access Restrictions for Change
3.4.6 Least Functionality
3.4.7 Nonessential Functionality
3.4.8 Application Execution Policy
3.4.9 User-Installed Software

Identification and Authentication

Level 1

3.5.1 Identification
3.5.2 Authentication

Level 2

3.5.3 Multi-factor Authentication
3.5.4 Replay-Resistant Authentication
3.5.5 Identifier Reuse
3.5.6 Identifier Handling
3.5.7 Password Complexity
3.5.8 Password Re-use
3.5.9 Temporary Passwords
3.5.10 Cryptographically-Protected Passwords
3.5.11 Obscure Feedback

Incident Response

Level 1

N/A

Level 2

3.6.1 Incident Handling
3.6.2 Incident Reporting
3.6.3 Incident Response Testing

Maintenance

Level 1

N/A

Level 2

3.7.1 Perform Maintenance
3.7.2 System Maintenance Control
3.7.3 Equipment Sanitization
3.7.4 Media Inspection
3.7.5 Nonlocal Maintenance
3.7.6 Maintenance Personnel

Media Protection

Level 1

3.8.3 Media Disposal

Level 2

3.8.1 Media Protection
3.8.2 Media Access
3.8.4 Media Markings
3.8.5 Media Accountability
3.8.6 Portable Storage Encryption
3.8.7 Removable Media
3.8.8 Shared Media
3.8.9 Protect Backups

Personnel Security

Level 1

N/A

Level 2

3.9.1 Screen Individuals
3.9.2 Personnel Actions

Physical Protection

Level 1

3.10.1 Limit Physical Access
3.10.3 Escort Visitors
3.10.4 Physical Access Logs
3.10.5 Manage Physical Access

Level 2

3.10.2 Monitor Facility
3.10.6 Alternative Work Sites

Risk Assessment

Level 1

N/A

Level 2

3.11.1 Risk Assessments
3.11.2 Vulnerability Scan
3.11.3 Vulnerability Remediation

Security Assessment

Level 1

N/A

Level 2

3.12.1 Security Control Assessment
3.12.2 Plan of Action
3.12.3 Security Control Monitoring
3.12.4 System Security Plan

System and Communications Protection

Level 1

3.13.1 Boundary Protection
3.13.5 Public-Access System Separation

Level 2

3.13.2 Security Engineering
3.13.3 Role Separation
3.13.4 Shared Resource Control
3.13.6 Network Communication by Exception
3.13.7 Split Tunneling
3.13.8 Data in Transit
3.13.9 Connections Termination
3.13.10 Key Management
3.13.11 CUI Encryption
3.13.12 Collaborative Device Control
3.13.13 Mobile Code
3.13.14 Voice over Internet Protocol
3.13.15 Communications Authenticity
3.13.16 Data at Rest

System and Information Integrity

Level 1

3.14.1 Flaw Remediation
3.14.2 Malicious Code Protection
3.14.4 Update Malicious Code Protection
3.14.5 System & File Scanning

Level 2

3.14.3 Security Alerts & Advisories
3.14.6 Monitor Communications for Attacks
3.14.7 Identify Unauthorized Use

Prevalent and the CMMC

The Prevalent Third-Party Risk Management Platform offers built-in questionnaires for each level of CMMC certification. This enables the DoD to assess high-priority suppliers; auditors to assess their clients; and suppliers to assess themselves and their suppliers for compliance against each level.

C3PAOs and the federal government can:

  • Invite clients into the Prevalent platform to complete their standardized Level 2 or Level 3 control assessment in an easy-to-use, secure tenant
  • Automate chasing reminders to clients to reduce the time required to complete assessments
  • Centralize supporting documents submitted as evidence of the presence of controls
  • View a single register of risks raised depending on how the client responds to the questions
  • Issue remediation recommendations for failed controls
  • Deliver customized reporting on the current level of compliance, demonstrating the risk-reducing impact of the application of future controls

Any DoD supplier can conduct a Level 1 or Level 2 self-assessment to:

  • Assess against the 17 controls required to measure Level 1 compliance
  • Assess against the 110 controls required to measure Level 2 compliance
  • Upload documentation and evidence to support answers to questions
  • Gain visibility into current compliance status
  • Leverage built-in remediation guidance to address shortcomings with third parties
  • Produce reporting to measure compliance for auditors
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo