Cyber Security Maturity Model Certification (CMMC)

Increasing the security and visibility of the entire chain

Security in the supply chain is presently one of the industry's main challenges. This applies to many industries, perhaps especially the defence industry. CMMC (Cyber Security Maturity Model Certification) is a framework defined by the US Department of Defense to enhance the cybersecurity of companies that deliver solutions to the US military.  Certification in compliance with this model will be required by all companies included in this supply chain, estimated at around 350,000 companies to protect sensitive unclassified information (CUI=Controlled Unclassified Information). Shortly, certification will be required to participate in procurements, so it is high time to start implementation. The purpose of the certification is to increase security and resilience throughout the chain.

CMMC is based on other standards and frameworks such as NIST 800-171, NIST 800-53, CSF, ISO 27002, CIS v7 and Secure Controls Framework, and has been developed by the US military together with industry and academia. The model is based on five different maturity levels that represent a company's level of security in terms of technology, processes and behaviour. Level 1 entails a basic level of cybersecurity, while level 5 is an advanced level.

DFARS, which is the regulatory framework that governs government procurement in the field of defense in the United States, has at the end of 2020 issued a number of interim rules to speed up the implementation of the new framework. This means, among other things, that suppliers must carry out and report a self-assessment against NIST 800-171. The result of the self-assessment must be reported in DoD´s Supplier Performance Risk Systems (SPRS).

About Cybersecurity Maturity Model Certification

  • Version 1.0 of the standard was published on 31 January 31 2020.
  • Mandatory for any company that wants to do business with the US military.
  • Valid from autumn of 2020. If compliance cannot be demonstrated, companies can be excluded from procurements.
  • There are five maturity levels to certify against. The applicable level is determined for each procurement but depends on the type of activity and need for protection.
  • Certification is required by an independent third party.

Our expertise & competence in CMMC

  • We can support the implementation of self-assessment in relation to NIST-800-171 and in setting requirements / follow-up against partners in the supply chain.
  • Combitech can assist with methodology and models for inventory and documentation of CUI information. We can also assist with advice in general regarding FAR / DFARS and CMMC.
  • Combitech is an independent consulting firm that does not act as a certifier in this area but rather assists companies with expertise and guidance in achieving CMMC compliance.
  • We have broad expertise in the entire field of cybersecurity and in system security. Both aspects are covered by CMMC. We can support an organization through implementation to certification, as well as in continuous work with security.
  • We have extensive experience of the cybersecurity standards and frameworks that are included in CMMC.
  • Combitech has thorough technical expertise in all relevant control areas and can assist in a complete implementation.

Our services

Combitech works with a six-step model for implementation and compliance with CMMC. The model is adapted together with the customer to meet the specific needs that exist.

Examples of approaches:

1. Define goals and scope

2. Start with analysis of the organization and the present situation

3. Identify gaps and deficiencies against the controls at the selected level of CMMC. Technology, processes and organization and awareness are included.

4. Develop a CMMC compliance plan. Identified gaps and deficiencies must be addressed. Examples of basic areas of CMMC – see model at the left

5. Create an organization for handling deficiencies and enforcement.

6. Implement the plan and ensure continuous compliance through, among other things, integration of measures in existing processes.

Learn more about: