Quick summary of the standard
CMMC stands for “Cybersecurity Maturity Model Certification”. In 2020, the United States Department of Defense (DoD) created the CMMC framework to assess and improve information security across the Defense Industrial Base (DIB). The CMMC certification process is intended to provide better assurance that DIB companies are maintaining appropriate information security measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Within the CMMC, there are five maturity levels, each with their associated Processes and Practices. Over time, all DoD contracts for DIB companies will require certification against one of the five CMMC Levels (1 – 5).
The most common process for CMMC certification is (or will be):
- Perform a CMMC Gap Assessment.
- Remediate all CMMC gaps.
- Conduct the CMMC audit and certification.*
*Only authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) can issue CMMC certification.
See the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification Frequently Asked Questions page for official information.
Description of the report contents (what it is and what it isn’t)
The CMMC Readiness Report is a simple, easy to use reference for SecurityStudio customers to measure between their current information security posture and the CMMC framework (usually for eventual certification). The organization’s level of compliance (or completeness of controls) is depicted against each CMMC Process and Practice for each of the CMMC Levels.
Who can use it
SecurityStudio simplifies CMMC to the point where the CMMC Readiness Report can be used by a variety of people. Within an organization, the CMMC Readiness Report can be used as a quick reference for executive management, to organize projects for project management personnel, to justify budget and operational activities for information security personnel, or as a document to kick start activities with Registered Provider Organizations (RPOs) and/or CMMC Third-Party Assessor Organizations (C3PAOs).
The CMMC Readiness Report isn’t restricted to internal use. RPOs can use the reports to show their clients where they stand with respect to CMMC compliance.
How to use CMMC Readiness Specialty Report
Ultimately what drives an information security program is risk, and more specifically risk management. SecurityStudio’s S2 platform and S2Org information security risk assessment is the perfect place to start (or improve) an organization’s information security risk management program. The CMMC Readiness Report is automatically generated for an organization upon completion of their S2Org assessment and is a perfect complement for organization’s seeking CMMC certification now or in the future. The CMMC Readiness Report should be used as an aid to guide CMMC compliance, but within the context of a greater overall information security program.
The simplest (and most effective) way to use the CMMC Readiness Report is:
- Access the report within the S2 platform (it was generated automatically).
- Review the report with your team for accuracy.
- Within the S2 platform, use the report to guide prioritization of the organization’s information security roadmap.
- As improvements are made (i.e. CMMC are gaps addressed), track the changes within the S2 platform and access new (updated) CMMC Readiness Reports on the fly.
We developed this report, and all reports, from customer feedback. As you familiarize yourself with the report, tell us more about how we can make your information security life simpler!