***UPDATE: Currently, NH MEP has received funding through the CARES Act to provide partial funding for the CMMC Implementation to manufacturers that have been impacted by COVID-19.***
CMMC Implementation Services
NHMEP has partnered with Mainstay Technologies to provide Phases 1 and 2 of CMMC Implementation to New Hampshire manufacturers who are DoD suppliers or sub-contractors. We begin by working with your IT management on a gap analysis of your current cybersecurity strategies to discover strengths, weaknesses and the best solution to bring your company into CMMC compliance.
What is CMMC?
CMMC Version 1.0 was released in January 2020 and serves as a unified cybersecurity standard for future Department of Defense (DoD) acquisitions. For the bidding process on DoD contracts, CMMC will ensure a fairer process by outlining required levels based on your company’s business requirements. CMMC V1.0 defines a maturity model as a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. It works to establish best practices through defining and structuring action that must be taken by a company to prove that it has incorporated these practices.
The CMMC Framework
The CMMC model framework organizes processes and cybersecurity est practices into a set of domains. For each of the 17 domains, there are processes that span five levels of cybersecurity maturity. Additionally, each of the domains contain one or more capabilities spanning the five levels. And, for a given capability, there are one or more practices that must be demonstrated.
The 17 Domains
Each domain is comprised of processes and capabilities across the five levels. The domains include:
- Access Control (AC)
- Asset Management (AM)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PA)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communication Protection (SC)
- System and Information Integrity (SI)
Phase 1 – Basic Cyber Hygiene
Processes are performed and select practices are documented where required. There are 17 practices to demonstrate basic cyber hygiene. Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 from FAR Clause 52.204-21. The first level ensures basic safeguarding of federal contract information.
Phase 2 – Intermediate Cyber Hygiene
Processes are documented, including Level 1 practices and a policy exists that includes all activities. Practices demonstrate intermediate cyber hygiene. This level complies with FAR, includes a select subset of 48 practices from NIST SP 800-171, and includes an additional 7 practices to support intermediate cyber hygiene. A total of 72 practices must be demonstrated at this level as organizations transition to demonstrate cybersecurity maturity progression to protect controlled unclassified information.
To get started with a gap analysis for CMMC Implementation or to learn more, please contact NHMEP:
“Working with the Partnership was a cost effective way to remain ahead of implementation timelines to achieve compliance with NIST 800-171. Their administrative and technical assistance provided a rich contextual understanding of controlled information and information systems, and guided our company’s policy approach to information exchange governance. We are now better prepared to meet current and emerging information security obligations for all of our clients.”