Cybersecurity Maturity Model Certification (CMMC) Workshop

Explore the Cybersecurity Maturity Model Certification (CMMC).

December 17 & 18, 8am-5pm
Location: Virtual Workshop

The Cybersecurity Maturity Model Certification (CMMC) Workshop will provide an overview of how to prepare for future certification, including its requirements, impact and importance for contractors working with the Department of Defense. 

Maturity Levels addressed as part of this workshop:

Level 1:
A company must perform "basic cybersecurity hygiene" practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." It does not include public information or certain transactional information.

Level 2:
A company must document certain "intermediate cyber hygiene" practices to begin to protect any Controlled Unclassified Information (CUI) through implementation of some of the US Department of Commerce National Institute of Standards and Technology's (NIST's) Special Publication 800-171 Revision 2 (NIST 800-171r2) security requirements. CUI is "any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls," but does not include certain classified information.

Level 3:
A company must have an institutionalized management plan to implement "good cyber hygiene" practices to safeguard CUI, including all the NIST 800-171r2 security requirements as well as additional standards.

Level 4:
A company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices to detect and respond to changing tactics, techniques, and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attach vectors.

Level 5:
A company must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.