US DoD Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC) is a DoD requirement that applies to all organizations in the defense supply chain. The CMMC-AB (CMMC Accreditation Body) is the neutral, accredited, third party that is responsible to certify Assessors and maintain the CMMC standards. The DoD provided the CMMC-AB with version 1.02 of the CMMC model along with other materials.

Belarc's system can be used by Assessors and Organizations Seeking Certification (OSCs) to meet many of the CMMC Model v1.02 controls. See Belarc's mapping to the CMMC Controls below.

  • Belarc is a COTS product that can be rapidly deployed and requires little if any on-going maintenance.
  • Belarc's web based architecture allows BelManage to run either on-premesis, on our customer's cloud service or hosted by Belarc.
  • Belarc's system automatically monitors computing devices located anywhere throughout the world and updates its central repository daily.
  • Belarc automatically monitors on-premesis machines in addition to roaming laptops, cloud based machines and work from home machines.
  • Belarc has years of experience with DoD entities such as the USAF 844th CG, the US Marine Corps, and many parts of the Army and DoN.
  • Belarc's systems currently operate on the NIPRNet and SIPRNet.

For additional information and to request a demo, please fill out the form or send an email to cmmc.demo@belarc.com

Please let us know if you would like any additional information or to try our hosted demo.

* indicates required

Mapping of Belarc to CMMC Model v1.02 Controls

Belarc can help monitor the status of the following controls.

AC.2.006 - Limit use of portable storage devices on external systems.

  • NIST SP 800-171 Rev 1 3.1.21
  • CIS Controls v7.1 13.7, 13.8, 13.9
  • NIST CSF v1.1 ID.AM-4, PR.PT-2
  • NIST SP 800-53 Rev 4 AC-20(2)

AM.4.226 - Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.

  • CMMC modification of Draft NIST SP 800-171B 3.4.3e
  • CIS Controls v7.1 1.1, 1.2, 1.4, 1.5, 2.3, 2.4, 2.5
  • NIST CSF v1.1 ID.AM-1, ID.AM-2
  • CERT RMM v1.2 ADM:SG1.SP1
  • NIST SP 800-53 Rev 4 CM-8"

AU.2.041 - Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

  • NIST SP 800-171 Rev 1 3.3.2
  • CIS Controls v7.1 16.8, 16.9
  • NIST CSF v1.1 DE.CM-1, DE.CM-3, DE.CM-7
  • CERT RMM v1.2 MON:SG1.SP3
  • NIST SP 800-53 Rev 4 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12

CM.2.061 - Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

  • NIST SP 800-171 Rev 1 3.4.1
  • CIS Controls v7.1 1.4, 1.5, 2.1, 2.4, 5.1
  • NIST CSF v1.1 ID.AM-1, ID.AM-2, PR.DS-3, PR.DS-7, PR.IP-1, DE.AE-1
  • CERT RMM v1.2 KIM:SG5.SP2
  • NIST SP 800-53 Rev 4 CM-2, CM-6, CM-8, CM-8(1)
  • UK NCSC Cyber Essentials

CM.2.063 - Control and monitor user-installed software.

  • NIST SP 800-171 Rev 1 3.4.9
  • CIS Controls v7.1 2.1, 2.2, 2.6
  • NIST CSF v1.1 DE.CM-3
  • CERT RMM v1.2 MON:SG2.SP3
  • NIST SP 800-53 Rev 4 CM-11

CM.5.074 - Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).

  • CMMC modification of Draft NIST SP 800-171B 3.14.1e
  • CIS Controls v7.1 2.10
  • NIST CSF v1.1 PR.DS-6, PR.DS-8, PR.IP-2
  • CERT RMM v1.2 TM:SG2.SP2
  • NIST SP 800-53 Rev 4 SI-7(6), SI-7(9), SI-7(10), SA-17"

CM.4.073 - Employ application whitelisting and an application vetting process for systems identified by the organization.

  • CMMC modification of NIST SP 800-171 3.4.8
  • CIS Controls v7.1 2.1, 2.2, 2.6, 2.7, 2.8, 2.9
  • NIST CSF v1.1 PR.PT-3
  • CERT RMM v1.2 TM:SG2.SP2
  • NIST SP 800-53 Rev 4 CM-7(4), CM-7(5)

IA.1.076 - Identify information system users, processes acting on behalf of users, or devices.

  • FAR Clause 52.204-21 b.1.v
  • NIST SP 800-171 Rev 1 3.5.1
  • CIS Controls v7.1 4.2, 4.3, 16.8, 16.9
  • NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
  • CERT RMM v1.2 ID:SG1.SP1
  • NIST SP 800-53 Rev 4 IA-2, IA-3, IA-5

MP.2.121 - Control the use of removable media on system components.

  • NIST SP 800-171 Rev 1 3.8.7
  • CIS Controls v7.1 13.7, 13.8
  • NIST CSF v1.1 PR.PT-2
  • CERT RMM v1.2 MON:SG2.SP4
  • NIST SP 800-53 Rev 4 MP-7

MP.3.123 - Prohibit the use of portable storage devices when such devices have no identifiable owner.

  • NIST SP 800-171 Rev 1 3.8.8
  • NIST CSF v1.1 PR.PT-2
  • CERT RMM v1.2 MON:SG2.SP4
  • NIST SP 800-53 Rev 4 MP-7(1)

RM.2.142 - Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

  • NIST SP 800-171 Rev 1 3.11.2
  • CIS Controls v7.1 3.1, 3.2
  • NIST CSF v1.1 ID.RA-1
  • CERT RMM v1.2 VAR:SG2.SP2
  • NIST SP 800-53 Rev 4 RA-5

SI.2.217 - Identify unauthorized use of organizational systems.

  • NIST SP 800-171 Rev 1 3.14.7
  • NIST CSF v1.1 DE.CM-1, DE.CM-7
  • CERT RMM v1.2 MON:SG1.SP3
  • NIST SP 800-53 Rev 4 SI-4