The Defense Department formally began implementing a new approach to cybersecurity for its contractors in 2020: the Cybersecurity Maturity Model Certification or CMMC. The CMMC is intended to ensure that those who contract with the DoD use appropriate cybersecurity controls to protect the Defense Department's data.
The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene and to protect controlled unclassified information (CUI) that resides on DoD contractor networks.
Contractors with CMMC certification will have a distinct advantage when competing for prime contracts or working as subcontractors. When dealing with controlled unclassified information, every state and federal agency will eventually require all contractors to be CMMC certified (CUI). When this happens, all major prime contractors throughout the supply chain will comply, and those requirements will be passed down to their ecosystem of subcontractors. It is highly recommended that you begin now if you want to stay in the game and potentially gain footing with the primes or government agencies with whom you are currently doing business. Obtaining a CMMC certification shows potential customers that you have internal controls in place to manage performance risks.
There are three certification levels for the now-upgraded CMMC 2.0, ranging from basic cyber hygiene (Level 1) to advanced cybersecurity controls (Level 3). To receive future contracts, any contractor doing business with the DoD will need to be CMMC accredited based on the contract requirements. In the Defense Supplement to the Federal Acquisition Regulation, the DoD recently issued an interim rule on the CMMC forcing contracts to self-assess until the final rules are announced and formally implemented. Below is a diagram of the change from CMMC 1.0 to CMMC 2.0.
The deadline for requiring all DoD contractors to achieve CMMC compliance has moved further to the right. According to current projections, full implementation will begin in the summer of 2023. This should not deter you from taking action right now. Installing a proper cybersecurity program within your organization can take a significant amount of time. By committing to plan for these changes, you can put yourself ahead of the pack and potentially be in the driver's seat for future contract awards.
Investment in assessing and qualifying for CMMC compliance demonstrates to the DoD and other government agencies that a contractor takes IT and data security very seriously and that the contractor can be trusted to protect sensitive government data. Any contractor seeking to demonstrate such integrity and rigor in securing government data would be wise to obtain CMMC accreditation for the type of work they are performing as soon as possible.
What Is Involved in Getting CMMC Accreditation?
The DoD encourages its contractors to complete a self-assessment prior to scheduling a CMMC assessment. But what does a CMMC assessment involve?
The CMMC Accreditation Body, (Cyber AB), a nonprofit, independent organization, is starting to accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors - those who will actually perform the CMMC assessments of DoD contractors. The Cyber AB thus far has completed the first provisional training of C3PAOs. The Cyber AB has also published draft guidelines outlining the requirements for the CMMC certification audit.
The provisional assessors will "shake out the program and what needs to be done before the training and certified assessors for the open market are released. The government has estimated that 7,500 companies will be certified in 2023.
What do assessors look for when evaluating a contractor's cybersecurity strategy? To begin, they examine what types of certifications a company has already obtained to determine its level of cybersecurity controls. If a contractor has obtained ISO 28000 certification, demonstrating end-to-end secure supply chain controls, as well as ISO 27001 certification, which covers requirements for NIST-based information security management standards, this is a great place to start when it comes to CMMC compliance. Obtaining those certifications shows the C3PAOs' commitment to security controls and practices. If contractors do not already have such certifications, achieving the required level of CMCC accreditation quickly may be difficult.
CMMC Levels 1 through 3 encompass the 110 security requirements specified in NIST SP 800-171 Rev.2, which covers the protection of controlled unclassified information in nongovernment systems. Each DoD contractor is going to be at a different maturity level in terms of the cybersecurity controls it employs. That is based on the company's understanding of security controls and processes and how central they are to that company's business model. If your organization utilizes the services of a managed service provider (MSP) and the MSP has implemented relevant controls, then the contractor is able to claim credit for them. If you are an MSP then you should understand these requirements clearly or work with another consultant that has the expertise.
The CMMC 2.0 will be rolled out initially on targeted contracts, and those that have achieved a level of certification will be in a strong position to participate in those. Eventually, the CMMC process will be applied in the years ahead to agencies outside the DoD. That makes being able to demonstrate compliance even more valuable for contractors, especially as they perform more services for agencies and conduct operations onsite with them.
What Should I Be Doing Now?
Your first step should be to review the CMMC 2.0 requirements. If you have not done this, it's not too late to get started. Below is a list of suggested next steps. Once you've completed all the tasks listed below you should be ready for an independent audit.
-
-
- Review the CMMC 2.0 security controls and practices required.
- Set a target for the CMMC level required aligned with business objectives.
- Identify experts with security backgrounds to complete an initial assessment.
- Conduct an initial assessment and identify significant compliance gaps.
- Develop a formal remediation plan that includes tasks and a timeline.
- Review the CMMC certification requirements published by the Cyber AB
- Complete the remediation plan and conduct a preliminary audit in-house.
- Hire a C3PAO to complete an independent certification audit.
Obtaining certifications necessitates dedication and investment, which pays off when it comes time to receive accreditation. Government agencies trust contractors with CMMC certification to protect their data because they are aware of the stringent security controls in place to protect their data. Obtaining that trust through an accreditation such as the CMMC demonstrates the company's commitment to security and increases its value as a trusted partner.
Learn How Centrum Cyber Can Help?
Service providers can provide both the governance, risk, and compliance (GRC) tools as well as the security resources needed to continuously assess and monitor compliance. Selecting the right managed service provider (MSP) or managed security service provider (MSSP) can provide a significant step forward, allowing the contractor to leverage processes and systems that have already been certified. Centrum Cyber is the choice of most successful providers as it's a complete tool that allows their clients to build a comprehensive enterprise-grade Cyber Security Program.