BeyondTrust - Secure Remote Access and Privileged Access Management
Announcement:
Be among the first to secure AI coworkers before they act. Request early access to AI Agent Security.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the Department of Defense (DoD) to assess existing DoD cybersecurity requirements. It was created to strengthen cybersecurity across the defense industrial base (DIB) and better safeguard DoD information amid increasingly frequent and complex cyberattacks.

Overview of the CMMC Program

The CMMC Program aligns with the DoD’s existing information security requirements for the DIB. It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.

Key features of the CMMC Program:

  • Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.

  • Assessment Requirement: CMMC assessments allow the DoD to verify DIB implementation of existing cybersecurity standards.

  • Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.

CMMC Model
A graphic depicting the CMMC model, courtesy of dodcio.defense.gov

Overview of Assessments

The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.

Level 1: Basic Safeguarding of FCI

Requirements:

  1. Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

Requirements:

  1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.

  2. Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

Requirements:

  1. Achieve CMMC Status of Final Level 2.

  2. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

  3. Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

CMMC

CMMC Status

Source & Number of Security Requirements

Assessment Requirements

Plan of Action & Milestones (POA&M) Requirements

Affirmation Requirements

Level 1 (Self)

Level 1 (Self)

Yes 15 required by FAR clause 52.204-21

YesConducted by Organization Seeking Assessment (OSA) annually

Yes Results entered into the Supplier Performance Risk System (SPRS)

Yes Not permitted

Yes After each assessment

Yes Entered into SPRS

Level 2 (Self)

Level 2 (Self)

Yes 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012

Yes Conducted by OSA every 3 years

Yes Results entered into SPRS

Yes CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4

Yes Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days

Yes Final CMMC Status will be valid for three years from the Conditional CMMC Status Date

Yes after each assessment and annually thereafter

Yes Assessment will lapse upon failure to annually affirm

Yes Entered into SPRS

Level 2 (C3PAO)

Level 2 (C3PAO)

Yes 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012

Yes Conducted by C3PAO every 3 years

Yes Results entered into CMMC Enterprise Mission Assurance Support Service (eMASS)

Yes CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4

Yes Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days

Yes Final CMMC Status will be valid for three years from the Conditional CMMC Status Date

Yes After each assessment and annually thereafter

Yes Assessment will lapse upon failure to annually affirm

Yes Entered into SPRS

Level 3 (DIBCAC)

Level 3 (DIBCAC)

Yes 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012

Yes 24 selected from NIST SP 800-172 Feb2021, as detailed in table 1 to § 170.14(c)(4)

Yes Pre-requisite CMMC Status of Level 2 (C3PAO) for the same CMMC Assessment Scope, for each Level 3 certification assessment

Yes Conducted by DIBCAC every 3 years

Yes Results entered into CMMC eMASS

Yes CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4

Yes Permitted as defined in § 170.21(a)(3) and must be closed out within 180 days

Yes Final CMMC Status will be valid for three years from the Conditional CMMC Status Date

Yes After each assessment and annually thereafter

Yes Assessment will lapse upon failure to annually affirm

Yes Level 2 (C3PAO) affirmation must also continue to be completed annually

Yes Entered into SPRS

"BeyondTrust Remote Support was the right product for Ariento because it achieved the cyber compliance requirements from the DoD, specific to DFARS and CMMC, in terms of our ability to service our defense contractor customers."

—Chris Rose, Partner & CEO at Ariento

Benefits of Using BeyondTrust

Least Privilege orange
Cybersecurity Maturity and Zero Trust Architectures
Implements secure access, enforcing least privilege and enabling ephemeral, just-in-time access controls.
Accelerates CMMC readiness by inheriting validated NIST 800-53/171 security controls
Monitor orange
Continuous Monitoring
Supports incident response capabilities, threat detection and compliance reporting
Discover, manage, rotate, and auto-inject privileged credentials to start remote sessions on-demand, adding a critical access security layer.
Enable just-in-time access to all your enterprise environments: cloud, on-premises, and OT

CMMC 2.0 Mapping: BeyondTrust Capabilities

CMMC Domain

Practice

BeyondTrust CMMC Capabilities

Access Control (AC)

AC.L2-3.1.1 / 3.1.5 / 3.1.12

Enforces least privilege, RBAC, and secure remote access

Audit & Accountability (AU)

AU.L2-3.3.1 / 3.3.3

Logs all privileged activity and enables audit review

System & Communications Protection (SC)

SC.L2-3.13.1 / 3.13.8

Encrypts and monitors all remote session traffic

Identification & Authentication (IA)

IA.L2-3.5.2

Supports per-session MFA and identity verification for all access

Incident Response (IR)

IR.L2-3.6.1 / 3.6.2

Enables incident response capabilities, threat detection, logging, and reporting

Risk Management (RM)

RM.L2-3.11.2

Integrates with vulnerability scanning and analytics

Configuration Management (CM)

CM.L2-3.4.6

Enforces minimal access and functionality policies

"[Remote Support] makes our support staff's lives a lot easier. Our customers like it as well, and are more satisfied in terms of our responsiveness and ability to meet their service demands quickly."

—Chris Rose, Partner & CEO at Ariento

"On average when we need to connect to a computer, it takes seconds [with Remote Support], whereas before, it would take minutes just to coordinate and get everything scheduled—a lot of back and forth...the main ROI is in time savings."

—Chris Rose, Partner & CEO at Ariento