CMMC cloud certification applies specifically to infrastructure used in work undertaken on behalf of the Department of Defence. Here is a quick guide to what you need to know if you are considering applying for it.
CMMC standard for Cybersecurity Maturity Model Certification. Unlike FedRAMP it is not specific to cloud security. It does, however, apply to cloud infrastructure. Currently, there is no differentiation between on-premises CMMC certification and CMMC cloud certification.
CMMC cloud certification is only necessary if a business is undertaking work specifically for the Department of Defence. At present, all other federal government agencies still only require FedRAMP certification.
Currently, the only business benefit of getting CMMC cloud certification is that it enables you to bid for work with the Department of Defence. It will not give you extra security credibility with other government agencies. Likewise, state and local agencies are still likely only to require FedRAMP certification as are most businesses and other private organizations.
Also, there is no direct equivalent of the FedRAMP marketplace. The FedRAMP marketplace shows a list of businesses that have achieved FedRAMP accreditation. This list is primarily for the use of government agencies. It is, however, available for public view and is regularly searched by other parties interested in working with FEDRAMP-compliant businesses.
There is a CMMC marketplace but its purpose is different. The CMMC marketplace essentially functions as a way for businesses looking to acquire CMMC certification to connect with businesses that can help them with it (e.g. third-party assessment organizations). There is, currently, no listings service as there is with FedRAMP. Even if there were, there isn’t the same level of demand for CMMC as there is for FedRAMP.
Both CMMC and FedRAMP are based on NIST. CMMC is based on NIST SP 800-171 and NIST SP 800-172. FedRAMP is based on NIST SP 800-53.
FedRAMP’s main impact levels are high, low, and moderate. There is also Low-Impact Software As A Service (LI-SAAS) but this has limited use. The current implementation of CMMC has five levels. These are basic, intermediate, good, proactive, and advanced. These levels are due to be streamlined. As of May 2023, they should be reduced to three, foundational, advanced, and expert.
At present, businesses looking to work with controlled unclassified information (CUI) must achieve at least level 4 (proactive). When the categories change, they will need to achieve at least level 2 (advanced). Businesses looking to work with higher-level data such as data relating to national security services or classified data must currently achieve level 5 (advanced). When the system changes, they will need to achieve at least level 3 (expert).
The process for achieving CMMC cloud compliance is due to change in May 2023. While the core of the process will stay much the same, it will become more streamlined. This should make it easier to follow.
Under both systems, CMMC level 1 covers 17 practices (domains). These are as follows:
Access Control (AC)
Asset Management (AM)
Audit and Accountability (AA)
Awareness and Training (AT)
Configuration Management (CM)
Identification and Authentication (IDA)
Incident Response (IR)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PP)
Risk Management (RM)
Security Assessment (SAS)
Situational Awareness (SA)
System and Communications Protections (SCP)
System and Information Integrity (SII)
Under the current system, CMMC level 2 covers 72 practices and 2 maturity processes. CMMC level 3 covers 130 practices and 3 processes. CMMC level 4 covers 156 practices and 4 processes. CMMC level 5 covers 171 practices and 5 processes.
Under the new system, CMMC level 2 will cover 110 practices and be based on NIST SP 800-171. CMMC level 3 will cover more than 110 practices and be based on NIST SP 800-172.
Under the current system, third-party certification is required for levels 1, 3, and 5. No external certification is required for levels 2 and 4.
When the system changes, an annual self-assessment will be required for level one. For level 2, there will be a standard requirement for tri-annual external assessments. Some programs will require annual external assessments. For level 3, there will be triannual government-led assessments.
Another key point to note is that the current system does not allow for the use of plans of action and milestones (POAMs). The new framework will allow for a limited use of them. The new system is also due to allow certification waivers but only in very limited circumstances.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.