What you need to know about CMMC right now
What it means for your business and how to tackle it, step-by-step
What is CMMC?
As part of an initiative to protect the US defense supply chain from cyber threats, the Department of Defense issued a new standard of cybersecurity verification controls for private contractors. Known as the Cybersecurity Maturity Model Certification, CMMC is an effort to speed up the adoption of mature cybersecurity practices and prevent false compliance claims.
CMMC builds upon DFARS and outlines multiple maturity levels, ranging from “Basic Cybersecurity Hygiene” to “Advanced.” Unlike DFARS/NIST 800-171, all contractors working with the DoD will need to undergo a thirty-party audit prior to any contract award (pre-award certification). The intent is to identify a contractor’s CMMC level in their Request for Proposal (RFP) as a decision factor when evaluating vendors.
The cold, hard facts:
- Failure to meet the required CMMC maturity level kills your chances at landing government contracts.
- Right now, around 300,000 vendors must comply with CMMC to continue business. The DoD estimates that only 10% of them meet the standard, as released, on January 31, 2020.
- The DoD plans to release around 20 RFPs this year that will require CMMC when the contract is awarded.
- By FY26, all new DOD contracts will contain CMMC requirements. All DoD contractors should already be at Level 1 as that parallels some existing requirements. Level 3 is going to be the level that most contractors need to achieve to be relevant.
- Things have changed some: under the new requirements, you must demonstrate that you are certified prior to the final award. Previous standards allowed you to identify the areas of needed improvement and put them on a POAM (Plan of Action and Milestones) to address later.
Crikey, where do I start?
Meeting the requirements of CMMC requires integrating multiple solutions. You may not have a
Cybersecurity expense line on your P&L, so this is a new (and significant) expense for you to consider. Here’s how to tackle it:
- Make sure you have the right people involved.
CMMC and any unintended non-compliance is a risk factor for your company, so you’ll need high-level business owners involved in this process in addition to technology owners – particularly those who are responsible for business risk.
- Get an assessment.
The time is yesterday! A CMMC assessment shows your performance against the standard and the gaps you’re required to fill. Before you ask: yes, there is a provision for self-audit if you’re up to the task; but [MSP name] can facilitate and speed up this complicated process substantially for you.
- Weigh your options.
In the end, complying with CMMC may cost more than your DoD revenue stream. You may want to consider selling that IP and the associated manufacturing processes to another larger, already CMMC certified, company rather than take on that compliance expense.
- Build a plan of action.
If you plan to move forward, work with [MSP name] to decide what gaps to fill first, then we can build a plan together. With the proper partners in the right places at the right time, you can be well on your way to CMMC compliance.
What are the levels and what do they mean?
CMMC Level
Desired Result
Details
Level 1
Basic Cyber Hygiene
17 controls of NIST 800-171 Rev. 1
Level 2
Intermediate Cyber Hygiene
48 controls of NIST 800 800-171 Rev. 1, plus 7 other new controls
Level 3
Good Cyber Hygiene
Final 45 controls of NIST 800-171 Rev. 1
(110 NIST controls total), plus 14 other new controls
Level 4
Proactive
13 controls of NIST 800-171 Rev. B, plus 13 other new controls
Level 5
Advanced/ Progressive
All previous controls, the remaining 5 of NIST 800-171 Rev. B, plus 11 other new controls
Let’s tackle this now and keep your
DoD business going strong.
Email: Carespacetech@Carespacetech.com