A DoD Contractor’s New Best Friend (CMMC)

To be a successful Department of Defense contractor or subcontractor, you need to get certified. The Cybersecurity Maturity Model Certification (CMMC) is the new way for DoD contractors and subcontractors to show that they can meet cybersecurity requirements with confidence.

Remember Your Old Friend NIST SP 800-171?

The government has been following these cybersecurity requirements since 2003. The Cybersecurity Management and Compliance (CMMC) was just created to enhance compliance in conjunction with the Defense Federal Acquisition Regulation Supplement (DFARS).

You are a contractor, and you have the responsibility to keep government information safe. But let’s be honest: You’re not going to be perfect all of the time. With more tasks than ever before coming your way every day—with no end in sight–it’s easy for something to slip through or go unnoticed when it comes down to compliance standards like CUI security regulations.

If you want to keep your organization’s DoD contract work, then get certified. The CMMC is changing RFI and RFP requirements which will impact who can be awarded contracts in the future.

 

Think of the CMMC as a Cybersecurity Software Update

Every year, Apple updates its operating system to bring about new features. Many people don’t notice the changes until they are forced into a situation where their old phone can no longer perform basic functions such as texting or checking email because of an outdated OS version.

In the same way, for those who handle sensitive federal information, CMMC is a certification program you cannot afford to ignore. Version 1.0 was released in January 2020 and with subsequent versions rolling out soon, the DoD expects all contracts to include this requirement by 2026. Moreover, while right now the CMMC model is only applicable within the DoD, many speculate that it will eventually expand to the Federal sector.

The CMMC is designed to ensure your company’s success and longevity. You’ll be glad you made the investment once it starts boosting productivity and efficiency!

 

Let’s Get Technical

Make or Break Conditions:

  • DIY is a no-go. Unlike other compliance assessments, there is no self-assess option for the CMMC. Each CMMC award must be provided through the CMMC Accreditation Body (AB) which will oversee the training, quality, and administration of the C3PAOs.
  • All hands must be on deck. Anyone employed by your company, including other contractors and/or subcontractors, must also be certified. Subcontractors, however, do not need to obtain the same level of clearance as their
  • It only applies to unclassified networks. This certification is only relevant to those that handle, process, and/or store FCI or CUI. What the heck is considered CUI? No one really knows, so it’s best to assume your work falls in this category. The handling of classified information falls under different safeguards.
  • It’s not necessarily one-and-done. Each certification is valid for 3 years. But even after you get certified, if your company experiences a security breach during a contract, then you may run the risk of a CMMC re-assessment. Only under exceptional circumstances will you lose the CMMC certification; but be prepared to use this methodology throughout your contract.
  • One size does not fit all. The CMMC accounts for varying security levels as not all DoD contracts are the same. Each RFP will reflect one of five levels of clearance needed to obtain the contract.
    • Level 1: Basic Cyber Hygiene
    • Level 2: Intermediate Cyber Hygiene
    • Level 3: Good Cyber Hygiene
    • Level 4: Proactive
    • Level 5: Advanced/Progressive

The certification process, consisting of cyber audits and risk assessments, is like a stairway to security. Speak with a CMMC accreditation body to learn the type of security clearance that you require so that you can move up on this staircase without any business disruptions.

Get Ready, Get Set…

For those in need of high-level security clearance, the self assessment test will pinpoint any areas that need to be addressed before an audit. However, a consultant can do this much more effectively than an internal IT team. Consulting firms also offer GAP analysis plans for additional insight into problem solving and hacking prevention tactics.

Get Certified!

Once you have implemented essential security practices and compiled documentation, it’s time to be assessed by the CMMC Accreditation Body.

 

Need Some Guidance?

ABQ-IT has a plan in place to help you get there quickly and easily, even if your company is not currently compliant! With our CompleteCloud Platform, DoD contractors can achieve Level-3 compliance in just 30 days. We’re also working with approved auditors for an economical package that will take care of everything necessary so you don’t have to scramble or break the bank trying to meet this important deadline on time!