Free tool: Get continuous business and financial risk monitoring for 20 vendors - no time limit!
On January 31, 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v1.0 of the Cybersecurity Maturity Model Certification (CMMC). Developed to serve as a single cybersecurity standard for all future DoD acquisitions, CMMC requires that each of the more than 300,000 DoD contractors become CMMC certified beginning in October 2020, with a five-year phase-in and renewals every three years after that.
CMMC requires companies achieve third-party certification against cybersecurity and information handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.
All DoD contractors must be certified in one of five levels, from Level 1 (lowest, Basic Cyber Hygiene) to Level 5 (highest, Advanced/Progressive) based on the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for controlled unclassified information (CUI) from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204.7012.
Although certified auditors (C3PAOs) must assess DoD contractors in order to demonstrate compliance with their target level of certification, companies that are doing, or wish to do, business with the US federal government can assess themselves against the requirements as well.
Level 1 – Applies to 285,000 DoD contractors and requires that the company report against 17 no-cost controls which are based on good business practices and standard cyber hygiene
Level 2 – Transitional level for organizations with the resources to reach for Level 3
Level 3 – Applies to contractors that are approved to touch controlled unclassified information (CUI) and requires those companies by law to demonstrate certification against all 110 controls in NIST 171
Levels 4 & 5 – Apply to a very small percentage of all DoD suppliers
Prevalent for CMMC Auditors
CMMC certified auditors can use the Prevalent Third-Party Risk Management Platform with all five levels of CMMC controls questionnaires included.
Prevalent for CMMC Responders
DoD contractors can use the Prevalent Third-Party Risk Management Platform to conduct a CMMC Level 1 pre-assessment prior to the formal audit.
Satisfying Third-Party Risk Management Compliance Requirements
Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.
Meeting CMMC TPRM Requirements
Please see the table below for a summary of the 17 CMMC requirements by domain and level. The Prevalent Third-Party Risk Management Platform has built-in questionnaires for each level, enabling C3PAOs to assess all DoD contractors, and contractors to assess themselves – especially for Level 1 compliance.
CMMC Domain & Capabilities | Practice Numbers by Level of Certification |
---|---|
Access Control (AC)
|
Level 1 Level 2 Level 3 Level 4 Level 5 |
Asset Management (AM)
|
Level 3 Level 4 |
Audit and Accountability (AU)
|
Level 2 Level 3 Level 4 Level 5 |
Awareness and Training (AT)
|
Level 2 Level 3 Level 4 |
Configuration Management (CM)
|
Level 2 Level 3 Level 4 Level 5 |
Identification and Authentication (IA)
|
Level 1 Level 2 Level 3 |
Incident Response (IR)
|
Level 2 Level 3 Level 4 Level 5 |
Maintenance (MA)
|
Level 2 Level 3 |
Media Protection (MP)
|
Level 1 Level 2 Level 3 |
Personnel Security (PS)
|
Level 2 |
Physical Protection (PE)
|
Level 1 Level 2 Level 3 |
Recovery (RE)
|
Level 2 Level 3 Level 5 |
Risk Management (RM)
|
Level 2 Level 3 Level 4 Level 5 |
Security Assessment (CA)
|
Level 2 Level 3 Level 4 |
Situational Awareness (SA)
|
Level 3 Level 4 |
Systems and Communication Protection (SC)
|
Level 1 Level 2 Level 3 Level 4 Level 5 |
System and Information Integrity (SI)
|
Level 1 Level 2 Level 3 Level 4 Level 5 |
CMMC certified auditors can leverage the Prevalent Third-Party Risk Management Platform with built-in questionnaires to assess all five levels of CMMC certification. With this access, certified auditors can:
Any DoD contractor can conduct a Level 1 pre-assessment prior to the formal audit to:
See why Prevalent is named a Leader among 23 IT VRM providers
This complimentary guide distills 5 key best practices for third-party risk management from our 15+ years...
This free Third-Party Risk Management RFP Kit includes a customizable questionnaire, solution comparison sheet, and scoring...