In our post “The CMMC: What It Is, Why You Need It & How a Managed Service Provider Can Help,” we touched on everything from what the CMMC is, what it protects, its maturity levels, the benefits of having the CMMC, and how much the CMMC costs. (Since the publication of that post, CMMC 2.0 has launched.)
In this post, we’re going to dive a bit deeper into how the CMMC differs from the FedRAMP, and why having both as a contractor is important.
Let’s dive in.
FedRAMP
The US General Services Administration’s (GSA) FedRAMP, or Federal Risk Authorization Management Program, is required for nearly all contractors—not just DoD preferred contractors—and exists to create uniform security standards for cloud computing across all government agencies and contractors.
Here’s a look at how the authorization process works:
FedRAMP’s requirements consist of 17 primary categories, or “Families.” These requirements are informed by the OMB Circular A-130, the Federal Information Security Modernization Act (FISMA), and FedRAMP policy.
FedRAMP’s 17 families include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Certification, Accreditation, and Security Assessments
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
CMMC
The Cybersecurity Maturity Model Certification, on the other hand, is a unified standard for adopting cybersecurity across the Defense Industrial Base (DIB) sector and the Department of Defense (DOD) supply chain.
This training, certification, and third party assessment cybersecurity program aims to measure the maturity of an organization’s cybersecurity processes and demonstrate compliance with the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Like the FedRAMP, the CMMC has 17 “domains” of cybersecurity—each satisfying several goals or capabilities.
These include:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Recovery
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
As we mentioned in the introduction, since the publication of our first post on CMMC 1.0, CMMC 2.0 was launched on November 4, 2021. One big change is that 2.0 streamlined the number of maturity levels from five to three.
- CMMC 2.0 Level 1 – Foundational is aligned with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- CMMC 2.0 Level 2 – Advanced is aligned with NIST SP 800-171 (and also requires compliance with FAR 52.204-21)
- CMMC 2.0 Level 3 – Expert is aligned with NIST SP 800-172 (and also requires compliance with FAR 52.204-21 and NIST SP 800-171)
The DoD implemented these changes as a response to feedback received on CMMC 1.0. According to the Department’s website, they made these changes in order to:
- Reduce costs, particularly for small businesses
- Increase trust in the CMMC assessment ecosystem
- Clarify and align cybersecurity requirements to other federal requirements and commonly accepted standards
We get it—understanding all of these requirements and ensuring your security systems are up to date is an incredibly difficult task. That’s why we’re here to help.
Ready to get started? Send us a message today to learn how we can provide the experienced, knowledgeable CMMC 2.0 and FedRAMP support you need.
