A new cybersecurity certification requirement has recently taken effect that will impact the many different types of businesses that work on Department of Defense (DoD) contracts. This certification is called the Cybersecurity Maturity Model Certification or CMMC.
What is CMMC?
In a comprehensive effort to improve the overall security and resiliency of companies working under U.S. military contracts, the DoD launched version 1.0 of the CMMC in January 2020. The CMMC was formulated using well-regarded security frameworks and standards such as the National Institute of Standards and Technology (NIST), the Federal Acquisition Regulation (FAR), and the Computer Emergency Response Team (CERT) Resilience Management Model (RMM) version 1.2. Through its comprehensive design, the CMMC represents a unified cybersecurity standard that all current and potential companies working with the DoD will have to meet.
The CMMC is specifically targeted to safeguard the controlled unclassified information (CUI) and federal contract information (FCI) located on the unclassified networks of any companies or subcontractors working with the DoD.
Which Companies Must Be Certified?
There are more than 300,000 companies and subcontractors considered essential to United States military operations because of their work with the DoD. These companies are known collectively as the defense industrial base (DIB), and they are considered probable targets of malicious cyberattacks from foreign adversaries as well as independent hackers. Any breach of intellectual property or sensitive personal data of the DIB would be especially concerning as this could weaken U.S. defense capabilities and endanger national security.
Prior to the CMMC, contracted companies working with the DoD were not required to provide evidence that they were following recommended security practices and many simply self-certified that they were meeting the proper security standards. Because of the security gaps in this flawed process, there have been numerous breaches, disruptions, and intellectual property threats that have affected the DIB and DoD.
CMMC’s Main Goals
The main goals of the CMMC are summarized in the points below.
- Ensuring that all contractors are well prepared to defend against current and future cyber risks.
- Verifying that contractors have strong controls to protect the CUI that resides in the DIB’s network and systems.
- Requiring an independent third-party validation to provide assurance that proper standards are being met.
- Providing levels of compliance that align with the different levels of risk.
- Facilitating improved security at a manageable cost to the federal government.
The Five Maturity Levels of CMMC Certification
The CMMC has organized cybersecurity practices and processes into five cumulative maturity levels that range from a minimum basic cyber hygiene at Level 1 to advanced security operations at Level 5. These five levels represent the state of an organization’s cybersecurity infrastructure and controls and their capabilities for protecting intellectual property and sensitive government information. DoD contracts with more vulnerabilities will require that their contractors possess a higher level of CMMC certification.
CMMC Timeline
Starting with RFIs (Request for Information) and RFPs (Request for Proposals) in September 2020, DoD contracts will gradually require various levels of CMMC certification from private companies. The DoD has a target of 10 RFIs and 10 RFPs with CMMC requirements by the end of 2020, which would mean a supply chain of approximately 150 certified contractors for each awarded contract. Full implementation of CMMC will be slowly rolled out through 2025 with a target of more than half of all primary contractors and subcontractors to be assessed and certified by 2022.
How Does the Assessment/Certification Process Work?
The CMMC Accreditation Body (AB) is a non-profit, independent organization, that will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.
The CMMC AB has established a CMMC Marketplace that includes a list of approved C3PAOs as well as other important information. Using the CMMC Marketplace, companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level. The CMMC AB also provides information to help companies perform recommended self-assessments before any official assessment. The CMMC Marketplace is accessible at www.cmmcab.org.
The cost of a CMMC assessment will depend upon the CMMC level, the complexity of the company’s network, and other market forces. The cost of assessment will be reasonable and considered allowable and reimbursable expenses.
The C3PAO will evaluate security gaps and weaknesses and determine if the company meets the necessary requirements for their desired CMMC level. After the initial assessment, companies will have up to 90 days to resolve any issues flagged by the C3PAO in order to receive CMMC certification.
CMMC certification will be valid for three years.
Consult With an IT Security and Compliance Expert
If your company or organization works in any way with the DoD, you will eventually need to get some level of CMMC certification. We recommend that you work with an expert in IT security and compliance requirements, such as Network Depot, in order to successfully navigate this complicated process and prepare your company to meet all cybersecurity challenges. With the help of a trusted IT partner, your organization will fulfill the requirements for CMMC certification and be able to work effectively and securely on DoD contracts.