If your company wants to compete for contracts from the U.S. Department of Defense, you’ll need to achieve compliance and meet all the requirements for the Cybersecurity Maturity Model Certification.
The CMMC represents a unified approach to cybersecurity in the defense industry. It seeks to define clear technical requirements for contractors, subcontractors, or other organizations within the defense industrial base that handle confidential unclassified information (CUI) or federal contract information (FCI) within their own business.
Drawing from three different technology standards, the CMMC is a sweeping set of security compliance requirements. Here’s the essentials you need to know to start preparing and managing your compliance.
The CMMC framework was designed to be a comprehensive and scalable standard for contract and subcontract defense companies to protect information categorized as CUI. CUI is sensitive information (But not classified information, which carries even more security requirements.) The framework is intended to help the Pentagon verify the implementation of required cybersecurity policies and procedures.
The CMMC is a new certification standard developed by the DoD and first published in January 2020. Starting in December 2020, CMMC became official department policy with contracts starting to include the new cybersecurity requirements.
If you’re getting questions about CMMC compliance or expecting to see these requirements in your contracts, here’s what you need to know:
The CMMC established five levels of certification to determine the maturity of an organization’s cybersecurity infrastructure, and thus its ability to safeguard CUI and FCI.
A spokesperson for the department stated most contractors will initially only need to meet Level 1 of CMMC compliance. The DoD will specify what level a company must have achieved to qualify for a contract in its Requests for Information and Requests for Proposals.
These five levels are tiered, so you must achieve compliance with the preceding level before advancing:
The levels in CMMC compliance loosely resemble the implementation groups in the CIS Controls framework, which also map to the NIST cybersecurity framework.
Having identified the level of compliance your company must achieve, start with the infrastructure that already exists. A risk assessment is often the ideal starting point for this. During this risk assessment phase, your security team should also:
With some 123 different controls, CMMC compliance requires project management for a phased rollout. A Plan of Action & Milestones (POA&M) describes the current security posture of an organization plus the vulnerabilities that have been uncovered in the system. It then lays out a course for corrective action to bring your infrastructure into alignment with compliance requirements.
FedRAMP provides excellent guidance on developing a POA&M and can be used to prepare for a CMMC audit.
Federal contractors have always been required to maintain strict cybersecurity standards when handling CUI and FCI. However, the CMMC introduces a new requirement for contractors seeking certification: third-party accreditation with a certified assessor.
Any cybersecurity expert with experience working for companies within the defense industrial base can help you prepare for the audit and certification. However, the final assessor must be accredited by the CMMC Accreditation Board for your certification to be considered valid.
Approaching a certified assessor early in your preparation process can help you identify resources to prepare.
Cybersecurity is not a set-it-and-forget-it project, and nowhere is that truer than the CMMC. As a very new program, the CMMC is expected to take up to five years to fully implement. Since its initial publication in January 2020, the standard has already seen numerous drafts and updates.
To increase your ability to maintain CMMC compliance, make sure you have a process to stay up to date with the latest developments. If your team can get in the habit now of staying current with changes, you may be the one who beats out a competitor for a new contract.
Not sure where to start? Consider backing up your team with expert advice and an information security management platform. With a centralized solution, you’ll be able to create, manage, and implement your policies from a single hub across your entire organization.
Going forward, companies operating within the defense industrial base will need to demonstrate compliance with the CMMC to win contracts from the DoD. Although many details are still developing, savvy companies are starting to assess and align their cybersecurity strategies now. By also doing so, you’ll ensure that your company stands at the forefront when new requirements start showing up in your contracts.