What Is the CMMC and How Do You Become Compliant?
If you work for a company that contracts or subcontracts with the US Department of Defense, you’re likely already familiar with the CMMC—or Cybersecurity Maturity Model Certification. And you might also be aware that a newer version of CMMC—the CMMC 2.0—is slated to come out later this year, that will be required for all DoD contractors and subcontractors to follow as well.
While the government is still working out the details, businesses that contract with the DoD are already scrambling to ensure they’re in compliance so they don’t lose their contracts.
In this blog, we’ll talk about what the CMMC is, why compliance is important, the old and new CMMC framework, and how to ensure that your business is certified.
What Is the Cybersecurity Maturity Model Certification?
It only makes sense that the DoD would need to take extra steps to ensure that when working with third parties, those entities have a level of cybersecurity that is up to government standards.
This is the driving force of the CMMC certification process. Government contractors and subcontractors must ensure they meet a certain level of cybersecurity standards in order to protect sensitive information that naturally arises when working with the government, including controlled unclassified information.
The CMMC was created in response to increasing cyber threats and breaches, which put national security at risk.
To be in compliance with the CMMC, businesses need to meet the requirements of the CMMC Framework. The initial framework included five steps that build on one another to ensure contractors do everything they can to prevent cyberattacks that could leave the government vulnerable.
What types of businesses typically have DoD contracts?
Many businesses contract with the DoD, but the most common industries are aircraft and space, private aerospace and defense, drones and missiles, cybersecurity, healthcare, and construction. Many of the contractors and subcontractors support the defense industrial base.
In addition, big names like Pfizer and Boeing have DoD contracts, as well as many smaller local entities. So the CMMC certification has wide-reaching implications.
Why is CMMC Compliance Important?
Companies that work with the US Department of Defense likely have already been aware of the CMMC requirements to bid on government contracts. With cybersecurity breaches and cyber crimes on the rise, the DoD has been working hard to create even more clear and thorough cybersecurity requirements through interim rules and are still in the process of creating the CMMC 2.0.
If businesses are found out of compliance, they will no longer be eligible to bid on or accept DoD bids.
CMMC vs NIST 800-171
Even though CMMC 1.0 hasn’t become official yet, businesses have been doing what they can to get in compliance since its initial release in September 2020. In the meantime, defense contractors have been following the older NIST 800-171, a set of regulations for manufacturers with DoD contracts, and a subset of DFARS—Defense Federal Acquisition Regulation Supplement.
CMMC will ultimately replace both NIST 800-171 and DFARS as they are out of date and don’t address all of the concerns brought on by modern cyber attacks.
If you are confused about what your business needs to do to be in compliance, even the government recommends that it’s best to work with a cybersecurity company that specializes in compliance to help you check all the boxes.
The CMMC Framework - Broken Down
As it stands, the proposed CMMC framework is a tiered system with five proposed levels. The CMMC 2.0 seeks to simplify its tiers, but we’ll get into that a bit more momentarily.
What are the 5 CMMC levels?
Any company that’s already been working on CMMC compliance has likely been working through the progressive tiers of cybersecurity maturity:
Level 1: Basic Cyber Hygiene
Level 2: Intermediate Cyber Hygiene
Level 3: Good Cyber Hygiene
Level 4: Proactive
Level 5: Advanced/Progressive
Each level has specific practices and processes that must be implemented to achieve compliance. These practices include, but are not limited to, access control, incident response, risk assessment, and network security.
Certain tiers—tiers 1,3, and 5, require third-party assessments in order to meet the CMMC requirements, while businesses can self-assess tiers 2 and 4. A third-party assessment was never required with the NIST 800-171, so this is one of the big differences between the two programs.
CMMC 2.0 | How is it different, and when do you need to care?
In the new CMMC model (which still has an undisclosed CMMC timeline), the five levels are narrowed down to three—Foundational, Advanced, and Expert. In addition, there is even further clarity on how the CMMC 2.0 aligns with NIST 800-171 practices.
Another distinction is that it will require a yearly self-assessment and an assessment by a third party every three years to qualify for anything beyond Level 1/Foundational.
Who should have CMMC certification?
Any defense contractor needs to have a CMMC certification. This is especially true of any contractors dealing with sensitive unclassified information and other sensitive defense information. And according to defense.gov,
“Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.”
What actions should DoD contractors take now?
The best practice would be to start working with a compliance specialist and start to implement the practices to be able to start moving up the tiers. As your business bids for new contracts, it should be clear which level of certification you’ll need.
Not to overwhelm the average small-to-medium business owner, but there are hundreds of practices that carry over from the NIST 800-171. While the CMMC 2.0 is still in the “rulemaking” process, which could take from months to years, it’s best to start implementing as many cybersecurity practices as you can because CMMC compliance will be required as soon as the rulemaking process is complete.
CMMC Compliance: How to Obtain Your Certification
To become CMMC compliant, contractors and subcontractors must undergo a third-party assessment conducted by a certified CMMC Third-Party Assessment Organization (C3PAO). The C3PAO will evaluate the contractor’s cybersecurity posture and determine if it meets the requirements of the CMMC level the contractor is looking to complete. If the contractor passes the assessment, they will be awarded a certification indicating their level of compliance.
How to get started with CMMC compliance
There are some compliance tools and checklists out there, but since the CMMC isn’t official yet, it’s best to start working with an IT specialist or cybersecurity company that specializes in NIST 800-171 compliance so you can get ahead of it.
When will CMMC compliance be required?
Every DoD contractor everywhere wishes there was a definitive answer to this question, but unfortunately, there is none. Some sources report that as soon as May/June of 2023 that the official rules will be released. That gives businesses an expected deadline of 2024 to make sure all their ducks are in a row.
Cyber Accreditation Body CEO Matthew Travis explains the prolonged timeframe this way,
“But these are consequential rules and they will certainly have an impact on how the sector does business… the department wants to get it right. We want to get it right.”
Undergo the CMMC Assessment
At ABQ-IT, we specialize in compliance and cybersecurity. Because we have so many government entities here in New Mexico, we’re competent with compliance regulations for the DoD and can complete a gap assessment. Let a cybersecurity specialist walk through your protocols before you bring in a C3PAO to ensure you have everything in place to pass when the time comes.
Give us a call at ABQ-IT today to schedule an audit where we can identify gaps and set your business up to keep your government contracts and gain new ones.