The world of IT moves fast, including the new legislation that evolves and changes with it. Recently, the US Department of Defense (DoD) released new policies requiring Cybersecurity Maturity Model Certification (CMMC) for all of its contractors. What does this mean for your business? Where do you even start? We’ve got you covered—this is CMMC in a nutshell.
What is CMMC?
The DoD released new cybersecurity compliance measures in 2020 as a response to sensitive information leaks from its contractors. Previously, contractors were fully responsible for the way they implemented, maintained, and certified systems to store and transmit DoD information. The CMMC legislation requires assessments by a third party, standardizing the process to keep information mishandlings to an absolute minimum.
CMMC Explained
Self-assessed cyber security practices can lead to oversight and bias, which is why CMMC requires a third party to evaluate the strength and security of a DoD contractor’s information technology infrastructure. CMMC helps standardize the definition of good “cyber hygiene,” so the DoD can properly assess a contractor’s defense against threats and handling of sensitive information.
Over 300,000 contractors will be required by law to get CMMC certification. In order to maximize cybersecurity, the CMMC was drafted with significant influence from the University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry professionals.
How to Get CMMC Certification
To get certified, contractors must go to the CMMC-AB Marketplace website and select an Authorized or Accredited C3PAO. The contractor and C3PAO will coordinate the CMMC assessment and complete appropriate contractual agreements. Once the CMMC assessment is completed, the C3PAO will provide a report. If there are no deficiencies, they will issue the appropriately tiered CMMC certificate to the company. Finally, the C3PAO will submit a copy of the assessment report and CMMC certificate to the DoD for official confirmation.
What makes CMMC unique is the tiered system of certification it offers. There are five levels of certification that reflect the reliability of a company’s cyber security infrastructure. The levels build off one another, and each one is more secure than the last. Depending on the security necessary for a specific project, the DoD will choose a contractor based on their CMMC tier, so sensitive government materials on contractors’ information systems will be safeguarded.
Level 1
Think of this level as the basics. Contractors that fall into this tier use antivirus software and require employees to change their passwords on a regular basis to protect Federal Contract Information (FCI). FCI is all information given to a contractor by the government that is not intended for public release.
Level 2
This is the intermediate phase, as practices must be able to protect Controlled Unclassified Information (CUI) through the implementation of the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2). This NIST 800-171 r2 compliance is similar to what was required in the past, including disseminating controls on all government CUI.
Level 3
A company must have an institutionalized management plan to implement good cybersecurity in order to safeguard CUI, including all the NIST 800-171 r2 security requirements mentioned previously, as well as additional standards.
Level 4
This level requires implemented processes for monitoring and measuring the effectiveness of “cyber hygiene”. It also requires additional established, enhanced practices to detect and respond to advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and a high number of resources that give it the ability to access CUI through multiple attack vectors.
Level 5
The culmination of all requirements from previous tiers, this level requires the most advanced cybersecurity practices to safeguard against the compromised CUI and protect against all ATPs. At Level 5, these processes must be implemented at a very sophisticated level.
Takeaways for the Future
Clearly, these requirements are bound to change the way that contractors take on and begin projects, and CMMC compliance is said to impact over 300,000 contractors. With that being said, there are a few key elements that we recommend keeping in mind as you move forward.
- Constantly engage with agencies such as the RFIs and RFPs that include minimum certification requirements. Staying in contact with the people that make these rules ensures that you will be prepared for new changes, often with guidance directly from the source. CMMC certification is set to be a minimum requirement for DoD contract eligibility; however, contractors should not view their cyber-compliance as “complete” once they become certified. The DoD has made it clear that the CMMC is a starting point for transforming contractors’ internal cyber security culture. It is a foundation to build cyber security upon, not a final destination. By engaging with agencies and the DoD at large, you can prepare for evolving threats in the cyber world that will give you the edge you need to be awarded a contract.
- Stay up to date with current trends in the information technology community. CMMC has taken the cyber security world by storm, and those who were not ready for the change missed out on a lot of potential contracts. Since CMMC is still relatively new, there will be new rules implemented regarding the auditing and appeals process of certification, as well as other advanced requirements that could be made standard at lower tiers. Since the world of cyber security moves so quickly, it’s important your company is able to keep up with the evolving nature of CMMC compliance.
- It’s never too early to begin preparations. Contractors that foster a learning culture within cyber security have flexibility within their organizations, which makes it far easier to roll with the punches as legislation evolves. To make preparations easier, have documentation on file regarding your company’s practices and procedures that already comply with CMMC. Also, plan for future projects by aiming for the highest level of certification possible. By doing so, you get more access to projects and complete the certification process faster. This way, no competitor can sneak up behind you and steal a potential work opportunity.
Frequently Asked Questions
Let us answer some of your most frequently asked questions about CMMC.
How will CMMC be different from NIST SP 800-171?
The CMMC tiers are the main differentiating factors from NIST SP 800-171. The CMMC Model also includes additional cyber security practices and assesses the company’s maturity processes.
Are the results of my CMMC assessment public?
No. The only public aspect of your assessment whether or not you hold certification. All other elements, including the detailed results of a CMMC assessment and specific CMMC certification levels, will remain private.
How often will I need to renew my certification?
Each CMMC certification will be valid for 3 years; however, you may need to test multiple times in this period, as some contracted jobs require a higher level of certification than others.
How will I know what CMMC level is necessary for my contracted work?
According to the Office of the Under Secretary of Defense for Acquisition & Sustainment,
“The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).”
