Cymonix's CMMC readiness assessment is built on industry-recognized security frameworks, including the NIST SP 800-171, NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

Click this Link!

Thank you for downloading our Quick Guide to CMMC!

The Department of Defense (DoD) has announced major changes to its Cybersecurity Maturity Model Certification (CMMC) program for defense industrial base (DIB) contractors and subcontractors.

 

The revamped program, called "CMMC 2.0," greatly reduces CMMC's reliance on third-party assessments, streamlines its compliance levels, more closely aligns to existing cybersecurity standards, and provides limited flexibility for contractors and subcontractors that may not meet certain requirements.

 

The release of CMMC 2.0 marks not only significant changes in the CMMC program's cybersecurity model but also in the timing of its implementation. DoD has been piloting CMMC with several DIB contractors and intended to start incorporating the program into some defense contracts this year the Cymonix team is ready to help you prepare for CMMC 2.0. 

Project Planning 

 

During Phase 1, the Cymonix team collaborates with you to establish the scope for this assessment, as well as communication methods and a cadence for status reporting. Following this initial step, we coordinate document and interview requests with your team.

  • Clear engagement scope

  • Established communication methods

  • Document and interview requests

Program Analysis 

 

Our team holds both on-site and remote discovery sessions with key stakeholders and subject matter experts within your organization. Following this step, our team builds a current state gap analysis of your policies, procedures, and technologies against industry standards.

Our assessment spans the CMMC’s three maturity levels and 110+ technical practices to help you identify your growth areas, address key issues, and advance your program.

  • Analysis of the current condition of your IT infrastructure, business processes, and utilized technologies

  • Identified process inefficiencies and areas for improvement

  • Understanding of the confidentiality, integrity, and availability of business systems

Step 3. Remediation Strategy

 

During this phase, we deliver a mapping your current program against the CMMC, which documents identified process inefficiencies and opportunities for improvement. These reports are accompanied by a roadmap for short-term and long-term cyber maturity.

 

In the final phase of this assessment, our team also communicates the findings of our analysis to your leadership team.

  • Preparations for the eventual CMMC certification process

  • Alignment between cybersecurity priorities and organizational objectives and policies

  • Improved decision-making around the level of risk associated with the current IT environment

  • More efficient resource allocation​​

​​

CATEGORIES FOR PROGRAM MATURITY ASSESSMENT

There are five (5) main categories that we focus on for the assessment.


 

01

Identify

One of the first steps in understanding the environment as it relates to cybersecurity is to first gain understanding of the business context, the resources that support the critical functions and the related cybersecurity risks to the organization. Only then can you start to prioritize the efforts surrounding the environment, and prioritize your resources consistent with the risk management strategy and business needs.

 

Subcategories

  • Asset Management

  • Business Environment

  • Governance

  • Risk Assessment

  • Risk Management Strategy

02

Protect

Once the critical assets and influences are known to the organization, you can then start to develop the controls that are designed to limit or contain cybersecurity events that would have a potential impact. This ranges from end-point controls, minimum security baselines, physical controls, and good security awareness.

 

Subcategories

  • Access Control

  • Awareness and Training

  • Data Security

  • Information Protection Processes and Procedures

  • Maintenance

  • Protective Technology

03

Detect 

While prevention is the ultimate goal for cybersecurity events, the current environment with all the evolving threats makes it not feasible. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.

Subcategories 

  • Anomalies and Events

  • Security Continuous Monitoring

  • Detection Processes

04

Respond

 

While prevention is the ultimate goal for cybersecurity events, the current environment with all the evolving threats makes it not feasible. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.

 

Subcategories 

  • Response Planning

  • Communications

  • Analysis

  • Mitigation

  • Improvement

05

Recover 

 

In this section, we look at the organization’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. This includes plans for DDoS, ransomware, and potential compromises of systems, and should often times be included within the company’s core business continuity plan.

 

Subcategories

  • Recovery Planning

  • Improvements

  • Communications