Cybersecurity Maturity Model Certification | CMMC Certification

Cybersecurity Maturity Model Certification
(CMMC)

The Cybersecurity Maturity Model, a.k.a. the CMMC model, set forth by the DoD measures cybersecurity maturity using three levels. It aligns a set of processes and practices to protect your valuable information and deter possible associated threats. The CMMC 2.0 consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references including the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21 and the security requirements for CUI specified in NIST SP 800-171 per DFARS Clause 252.204-7012. CMMC levels 1 through 3 go from a basic cyber hygiene level to an advanced cyber hygiene level.

The purpose of CMMC 2.0 is to figure out what level of hygiene your company is required to be at in RFP sections L and M and then be able to bid on each proposal. The Cybersecurity Maturity Model maps a set of 17 domains and 171 cybersecurity best practices across the different levels. And to be able to achieve a CMMC level of cybersecurity, an organization also has to achieve all the CMMC levels preceding it. So if your company meets CMMC level 1 but the RFP needs it to meet CMMC level 3, you might be unable to bid on the contract.

The CMMC Certification is the official document that certifies your company’s compliance with NIST 800-171. CMMC 2.0 is being created to assess and enhance the cybersecurity posture of the defense industrial base (DIB). Think of the CMMC Certification as a way to verify and make sure there are appropriate levels of cybersecurity controls and processes in place to protect CUI (Control Unclassified Information) residing on the department's industry partner's networks. The CMMC Certification entails training and certification followed by assessment by a third party assessor. When you get CMMC certified, you decrease your company's chances of getting breached and the damage that it causes to your company and to the government.

The Cyber Tackle Box™ from Lionfish Cyber Security helps meet CMMC requirements because it is a self-aid, mentoring platform with a command-and-control element that allows for on-demand scaling of training and incident response resources. The Cyber Tackle Box is designed to ensure organizations are proficient in foundational concepts and skills across key areas of cyber security.

Drawing on the Cyber Maturity Model Certification, Cyber Tackle Box becomes your organization’s cyber security shield by providing you with the finest training, planning, and support that will significantly improve your ability to defend against cyber-attacks targeting your company and community. This CMMC certification will dramatically reduce your chances of getting breached.

Portrait of happy young attractive asian entrepreneur woman looking at camera using smart tablet in warehouse with inventory management or industry digital era concept. Asian small business or sme.

We follow the “by-with-and-through” mentality of the Army special forces, because the Pentagon's push to protect industrial base networks and controlled unclassified information (CUI) from cyber attacks falls under CMMC.

Defense Industrial Base (DIB) contractors for the Department of Defense (DoD) are required to provide certified assurance based on the CMMC framework. The CMMC framework is a set of mandatory cybersecurity requirements that all contractors within the DoD supply chain will be required to implement and be verified by an independent CMMC Third Party Assessment Organization (C3PAO).

The CMMC framework establishes three certification levels that define the minimum-security posture, or cyber maturity, an organization must achieve based on the sensitivity of its information. Eligibility to receive a new DoD contract award or renewal is dependent on achieving CMMC certification, outlined in each program’s acquisition strategy or RFP.

The Lionfish CMMC Certification program using the Cyber Tackle Box will bring you to a level of cyber control you can count on…hook, line and sinker. We are currently offering support for CMMC levels 1-3 as part of our Cyber Tackle Box.

Is Your Supply Chain Resilient?

An entire supply chain becomes vulnerable if one component is exposed to risk, just like a house of cards will topple if one section is out of balance. Supply chain resilience refers to an organization’s ability to use its resources to handle unanticipated supply network disruptions.

How Data Compliance and Cybersecurity Differ

To ramp up your organization’s security posture, you can implement strong authentication, data protection, access monitoring, network-to-edge defenses, etc.
By routinely validating the effectiveness of these solutions once they’re in place, you can ensure your organization is taking the necessary measures to avoid non-compliance and security

Are you a Prime Contractor?
Helping your subs prepare for the Cybersecurity Maturity Model Certification with the Lionfish
Cyber Tackle Box™ brings these benefits:
- Confidence subs will meet CMMC requirements.
- System can be co-branded with prime’s logo and colors. Build loyalty with subs.
- Subs save time and money with one-stop option to learn, implement, monitor and manage CMMC solutions.
- Ensure subs have ongoing protection and compliance.

Benefits of the Lionfish Cyber Tackle Box™ platform:
- Uniquely credentialed to assist you to qualify for and maintain government contracts
- Supplement your staffing needs with our seasoned security professionals and apprenticeships
- Management of routine IT tasks to save you time and focus on your business
- Affordable enterprise-level managed security services designed specifically for small businesses
- Proactive Technology Management to prevent malicious activity
- Cyber awareness training to achieve data care best practices that protect your most valuable assets – customer and employee data
- We quickly identify, remediate and set up appropriate disaster recovery mechanisms to keep your business running smoothly

Check out Our Infosheet - How a 'Compliance First' Mindset Limits Liabilities

Are you trying to deploy the most affordable technology solution? Chances are it won’t be compliant.

Using solutions that do not meet security, encryption and reporting measures outlined by regulations that you are trying to meet will make your business non-compliant and violate compliance insurance requirements.

Click Here to Download the Infosheet

We are Registered, So We Are Ready to Serve You…
Lionfish is a CMMC Registered Provider Organization (RPO) and a CMMC Accredited Practitioner™, so we are able to assist you with your CMMC requirements. As a disabled vet-owned business, we provide guidance and activity-driven models for small businesses that seek to achieve a high standard of cybersecurity excellence and meet the required CMMC levels through cyber deterrence and resilience. We are working towards a world where all businesses are cyber resilient and are no longer easy targets for cyber-attacks.
CMMC guidelines require DoD contractors to meet mandatory requirements and go through multiple assessments to prove their CMMC certification level. Lionfish Cyber Security will assist you in determining the CMMC levels of certification the DoD requires of your company, which all begin with minimal cyber hygiene requirements. And we make sure you meet all the required CMMC levels.

What Exactly is CMMC?

The Cybersecurity Maturity Model, a.k.a the CMMC model measures a company’s cybersecurity maturity with five levels and aligns a set of processes and practices with the information you wish to protect, and possible associated threats. The CMMC model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references. The model encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21 and the security requirements for CUI specified in NIST SP 800-171 per DFARS Clause 252.204-7012. When you meet the required CMMC levels, you significantly reduce your chances of getting breached.

Why Was It Created?

DOD will migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC certification is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene. The CMMC changed the need for self-assessment and in some cases mandates verification of a company's cybersecurity maturity level by a third party assessor. The CMMC certification will also help protect controlled unclassified information (CUI) that resides on the industry partners’ networks.

Where to Begin…

Below you will find CMMC practices grouped by level and by domain. Each practice contains helpful publicly available cybersecurity resources and clarification from CMMC Model v1.02 Appendix B.

Need guidelines for assessing CMMC practices?

Have questions about NIST 800-171 or CMMC compliance? We are happy to answer any of your questions about our product offerings.

New Cybersecurity Requirements

CMMC Level 1 Assessment Guide

CMMC Level 3 Assessment Guide

CMMC Blogs

Getting Ready for New CMMC Requirements Now

By Lionfish Cyber Security | May 12, 2021

Right off the bat, we’re here to tell you that anyone promising you a sure-shot solution to all your CMMC woes is trying to pull a fast one on you. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive move by the U.S. Department of ...

CMMC_DFARS Rule and What it Means for you

Achieving CMMC: The Interim DFARS Rule and What It Means for You

By Lionfish Cyber Security | May 20, 2021

The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020. The decision sent over 300,000 members of the defense industrial base (DIB), mostly small and midsize businesses (SMBs), into a state of frenzy. Most ...

More Blogs

If You Live in Indiana…

Lionfish Cyber Security has figured out a way to help Indiana (IN) employers and DoD contractors tap into state dollars for their cybersecurity program and training. If you are a DoD Contractor in the state of Indiana, it’s time to learn more about Cybersecurity Maturity Model Certification (CMMC) requirements.

Lionfish Cyber Security is an approved trainer and learning center under the Indiana Office for Career and Technical Schools, and offers both basic and advanced computer skills and cybersecurity training. The grant level can go up to $50,000 per company, depending on whether the employer meets pre-set criteria.

To learn more about the Lionfish By-With-Through Platform™ and grant funds, each webinar is designed to show you a roadmap of what to expect, and how to participate, working with Lionfish Cyber Security.

“Every company must deal with multiple third-party contractors and vendors as a part of their business. This exposes businesses to multiple users and introduces new vulnerabilities. Implementing security practices such as endpoint monitoring, patching, network segmentation, etc., can help mitigate the risks posed to your supply chain. But where do you start? We are here for companies like yours,” said CEO Jeremy Miller of Lionfish Cyber Security.

Find our list of webinars each month this spring on Eventbrite, or signup on our website for our newsletter! The dates of these free webinars are posted on our Event Page.

Read our assembled FAQS

How will my organization become certified? The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org).
I am a subcontractor on a DoD contract. Does my organization need to be certified? Yes, so long as your company does not solely produce Commercial-Off-The-Shelf COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.
What is CMMC? CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
What is Controlled Unclassified Information? CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and https://www.dodcui.mil/Home/DoD-CUI-Registry/ and includes the following organizational index groupings:

Will there be a self-certification?

No, there are no self-certifications for CMMC. However, DIB companies are encouraged to complete a self-assessment based on CMMC Assessment Guides prior to scheduling a CMMC assessment. The Department of Defense posts versions of the CMMC Assessment Guides on its website (https://www.acq.osd.mil/cmmc/index.html).

Are the results of my assessment public? No, the detailed results of a CMMC assessment and the specific CMMC certification levels will not be made public. The only information that will be publicly available is that your company has a CMMC certification.

The DoD will have access to all DIB companies’ CMMC certificates, which will be posted on the CMMC Enterprise Mission Assurance Support Services (eMASS) database and on the Supplier Performance Risk System (SPRS).

5. What is the phased rollout of CMMC to date? The Department is implementing CMMC through a phased rollout approach. Until September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.

The Department is currently working with military Services and Defense Agencies to identify candidate programs that will implement CMMC requirements during the FY2021-FY2025 phased rollout. During the first year of the rollout, the Department will require no more than 15 new Prime acquisitions to meet CMMC requirements as part of a CMMC pilot program. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.

6. How will Lionfish Cyber Security assist me in preparing for the CMMC audit? Through our monthly subscription model, we will work through the “CMMC Compliance Checklist: Next Steps for Contractors” which will include the following high-level activities:

Assess the current organization for NIST 800-171 compliance, including basic cyber hygiene practices and templates.
Create or update your System Security Plan (SSP).
Build your plan of action & milestones.
Implement an Incident Response Plan and A Remediation Plan.
Assist in ongoing cyber resilience activities for compliance.

See more about our products and services here.