Skip to content

What Does the Cybersecurity Maturity Model Certification (CMMC) Mean for My Business?

Tanium takes a look at the new certification scheme for Department of Defense contractors


There’s plenty of talk right now among the defense community about the Cybersecurity Maturity Model Certification (CMMC). And with good reason.

The certification demands significant changes of government contractors working directly for the Department of Defense (DoD) or in its supply chain. Whereas previously they were responsible for maintaining their own security, contractors will now be forced to adhere to strict DoD-mandated requirements.

An estimated 300,000 businesses could be affected. So what are the challenges of securing modern supply chains? And what should contractors be aware of before they start their CMMC compliance journey?

Tanium’s James Hoscheit, global technology expert and Chris Hodson, chief information security officer (CISO) answer those questions. Watch this latest To the Point webcast.

The challenge of supply chain management

Supply chain management is challenging. But the way organizations have done risk management over the past decade has been too reliant on trust and spreadsheet and clipboard-based approaches — as Hodson explains here.

Overly simplistic questions eliciting binary answers failed to provide the level of end-to-end visibility organizations need for assurance.

One challenge for organizations is getting the quantity and quality of data they need to accurately assess the maturity of their supply chain partners. It needs not only to cover IT hygiene but areas like the software development lifecycle.

Another challenge is that, in the past, there’s been an almost “set and forget” approach to supply chain management. Organizations instead need to re-evaluate risk if, for example, an application or service begins to be used more broadly across the enterprise or starts to access different information.

How to start your CMMC compliance preparations

The CMMC itself is well designed and underpinned by holistic National Institute of Standards and Technology (NIST) standards and frameworks. In light of the recent SolarWinds attacks, it’s certainly a positive and much-needed step. But it will require a major investment of time and resources. We recommend starting the process now.

There are five levels of compliance depending on the agencies and systems you will be contracting for. The higher levels (3-5) place more of a spotlight on not just having the right technology in place, but the processes and repeatability to deploy and use those technologies in an operationally sound manner.

Starting from the bottom, each level adds more requirements to the previous one. By Level 2, organizations will be implementing around half of NIST’s SP 800-171, while Levels 4-5 adds NIST SP 800-53 as well as elements from ISO 27002 and some CIS controls.

The CMMC framework is publicly available, so we’d urge you to download and work through it. There are plenty of services out there that can help audit what you do. But be prepared for a heavy workload in documenting all of your processes and procedures.

How Tanium can help with CMMC compliance

Organizations may struggle to know which assets are in scope. This is where visibility and control of your IT environment are essential — you can’t manage what you don’t measure.

Tanium can help to provide this critical insight — enabling you to discover what assets you have, what applications are running on those assets, and who has access to them.

Here are some other ways we’re supporting CMMC compliance:

  • In Tanium Comply, we’ve added enhanced mappings to compliance benchmarks, so customers can see which checks in these benchmarks apply to CMMC and which controls they satisfy.
  • We’ve produced documentation to help customers understand which products’ capabilities help them address additional controls.
  • Our services team has produced some advice to help customers get their IT hygiene to a state where it can be easily measured under CMMC.

The CMMC is already in effect and will become a permanent feature of contracting with the federal government.

Whichever part of your business leads compliance projects, ensure that the security function is involved as early as possible.

Contact Tanium to learn more about how we can help your organization with CMMC compliance.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.