CMMC Specific Features

Dan Fox
Dan Fox
  • Updated

CMMC Overview:

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors meet specific cybersecurity standards when handling Controlled Unclassified Information (CUI). It consists of five levels of increasing cybersecurity maturity, ranging from basic cyber hygiene (Level 1) to advanced practices that protect against sophisticated threats (Level 5). The CMMC integrates practices from various standards like NIST 800-171 and requires third-party audits to certify compliance. The goal is to safeguard the defense industrial base from cyber threats and ensure data protection across all contractors in the DoD supply chain.

 

CMMC is loaded as it's own framework in ControlMap that aligns with NIST 800-171 and includes the additional sub-assessments questions NIST SP 800-171a mapped to each framework objective along with specific tools to help support CMMC assessments for level 1 and level 2.

 

ControlMap's CMMC Tools:

ControlMap has built specific tools to help with the support with CMMC assessment and auditing including:

  • Supplier Performance Risk System (SPRS) Score Calculator
  • System Security Plan (SSP) Report Builder
  • Assessment by objective with POAM management
  • Shared Responsibility Matrix (SRM) Identification and Report
  • Evidence Exporter aligned with DoD's audit import review standard with grouping by objective
  • Optional hosting: AWS GovCloud region
  • Link out evidence supports CUI data to be hosted external to ControlMap (Supports ability to keep CUI in the audit approved environment)

 

FedRAMP Moderate Equivalency:

ScalePad including ControlMap is currently SOC 2 and ISO 27001 audited annually. ScalePad's Security Page can be found here: Security Web Page ScalePad has begun the FedRAMP moderate equivalency assessment process to support our CMMC and Federal focused partner base. The assessment was started in Q1 2025 and the goal is to include FedRAMP Moderate Equivalency as part of our security posture and audit program over the next year.

 

SPRS Calculator:

The Supplier Performance Risk System (SPRS) score is a measure of a defense contractor's compliance with NIST SP 800-171 requirements, used as part of the CMMC certification process. Contractors are required to self-assess their cybersecurity posture, providing a score that reflects how well they meet these requirements, with a higher score indicating stronger security practices and a lower risk profile for handling Controlled Unclassified Information (CUI). 

The SPRS scoring system for CMMC compliance is based on the 110 security controls outlined in the NIST SP 800-171 standard. Contractors begin with a maximum possible score of 110, with each unmet requirement resulting in a deduction. The weight of each control varies, so some requirements may result in a deduction of 1 point, while others can result in a larger deduction of up to 5 points, depending on their importance to security.

For instance, critical controls like multi-factor authentication or system encryption may carry higher point deductions if they are not implemented. A negative score is possible if multiple critical controls are missing, with the lowest potential score being -203. The closer a contractor's score is to 110, the better their compliance. Contractors must upload their SPRS score to the DoD to demonstrate their current cybersecurity posture, which is then used to assess the risk they pose when handling Controlled Unclassified Information (CUI). Additionally, any identified deficiencies need to be addressed with a Plan of Action and Milestones (POAM) to improve their score over time.

 

 

In ControlMap your SPRS score will adjust based on your assessment according to the weighting prescribed by NIST to align with CMMC compliance. 

 

SSP Report Builder:

A System Security Plan (SSP) is a comprehensive document required for achieving CMMC certification that outlines an organization's cybersecurity controls and how they are implemented to protect sensitive data, including Controlled Unclassified Information (CUI). The SSP details the organization's current security practices, the systems and components in use, and how each of the NIST SP 800-171 or other relevant security requirements are met. It includes information on network boundaries, user roles, and data flow within the system. The SSP is crucial for assessing an organization’s compliance status during CMMC audits, identifying areas for improvement, and supporting the creation of a Plan of Action and Milestones (POAM) to address any security gaps. A well-documented SSP demonstrates an organization’s commitment to cybersecurity and helps ensure the effective management of security controls over time.

ControlMap's SSP report builder will walk you through each section required and allow for you to link in relevant policies that exist within ControlMap to help build the SSP. Sample SSP examples and templates are available online with an example provided below for reference.

 

 

CMMC Specific Reports:

ControlMap supports a number of reports in its reporting center that are useful for CMMC including:

  • Plan of Action & Milestone (POAM) Report
  • Assessment Report
  • Supplier Performance Risk Score (SPRS) Report
  •  Shared Responsibility (SRM) Report
  • Audit Evidence Exporter 

 

 

 

Sample SSP Report example below:

A System Security Plan (SSP) typically follows a structured format that includes sections that cover various aspects of an organization’s security environment. Below is a simplified example of how an SSP might be structured and some of the information it may include.

---

### **System Security Plan (SSP) Template - Sample**

---

**Organization Name:** XYZ Defense Contractors
**System Name:** XYZ Network
**Plan Date:** September 16, 2024
**Author:** Jane Doe, Chief Information Security Officer (CISO)

---

### 1. **System Overview**

- **System Name:** XYZ Defense Contractors Internal Network
- **System Description:** XYZ’s network supports communication and data storage for various DoD contracts, handling Controlled Unclassified Information (CUI). It includes servers, workstations, routers, and secure cloud services used by employees to access, store, and transmit CUI.
- **System Boundary:** The boundary includes all hardware, software, and cloud services used for DoD contracts, as well as physical locations such as offices and data centers.

---

### 2. **System Environment**

- **Hardware:** Dell PowerEdge servers, Cisco firewalls, workstations (Lenovo ThinkPads), etc.
- **Software:** Microsoft Windows 10, Office 365, Splunk for logging, CrowdStrike for endpoint security.
- **Users:** 150 employees across three U.S. offices.
- **Cloud Services:** Microsoft Azure (FedRAMP authorized).
- **Data Types:** Controlled Unclassified Information (CUI), Federal Contract Information (FCI).

---

### 3. **Security Controls and Compliance**

#### 3.1 Access Control (AC)

- **AC-2: Account Management**
**Implementation Status:** Implemented
**Description:** XYZ enforces role-based access control (RBAC) with accounts reviewed every 90 days. Multifactor authentication (MFA) is required for system access.

- **AC-3: Access Enforcement**
**Implementation Status:** Implemented
**Description:** Permissions are restricted to authorized users based on the principle of least privilege.

#### 3.2 Audit and Accountability (AU)

- **AU-2: Audit Events**
**Implementation Status:** Partially Implemented
**Description:** The system logs all user activity, with alerts generated for unauthorized access attempts. Logs are retained for 365 days.
**Planned Actions:** Expand coverage to all devices by Q1 2025.

- **AU-3: Content of Audit Logs**
**Implementation Status:** Implemented
**Description:** Audit logs capture user ID, timestamp, and details of the event. Logs are encrypted and stored securely.

#### 3.3 System and Communications Protection (SC)

- **SC-8: Transmission Confidentiality and Integrity**
**Implementation Status:** Implemented
**Description:** Data in transit is encrypted using TLS 1.2 or higher. Secure file transfer protocols are enforced for all CUI exchanges.

---

### 4. **Risk Assessment**

XYZ performs annual risk assessments to identify vulnerabilities and threats. The most recent assessment highlighted potential risks in remote access control, for which a mitigation plan is in progress.

---

### 5. **Plan of Action and Milestones (POAM)**

| Control Number | Description of Issue | Planned Actions | Estimated Completion Date |
|----------------|----------------------|-----------------|---------------------------|
| AU-2 | Incomplete audit logs for all devices | Implement logging for all devices | March 2025 |
| AC-4 | Insufficient session timeout settings | Reduce idle session timeout to 15 minutes | December 2024 |

---

### 6. **System Owner and Points of Contact**

- **System Owner:** John Smith, IT Director (john.smith@xyz.com)
- **CISO:** Jane Doe, Chief Information Security Officer (jane.doe@xyz.com)

---

### 7. **Plan Approval**

This System Security Plan has been reviewed and approved by the following:

- **Jane Doe, CISO**
**Date:** September 16, 2024

- **John Smith, IT Director**
**Date:** September 16, 2024

---

This sample illustrates how an SSP is structured, covering key sections such as system details, security controls, and compliance status. The SSP would be much more detailed in a real-world scenario, providing specific implementation details for each security control.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request