By September 30, 2025, the Department of Defense (DoD) will require that all defense contractors submitting a bid on defense contracts prove that they are certified to the appropriate level of cybersecurity standards.
The DoD designed the Cybersecurity Maturity Model Certification (CMMC) as a unified standard for defense contractors to address cybersecurity issues. Between 2021 and 2025, new DoD requests for proposals (RFP) will gradually begin requiring CMMC certification.
In just over four years, every DoD contractor and supplier will need to be audited and certified by an approved third-party auditor. Preparing for this audit can take a company six months to two years. As such, many small and medium sized businesses grapple with finding the proper staff and financial resources it takes to ensure they’re meeting security regulations.
Level Up in Cybersecurity
An organization aiming to obtain contracts for the DoD will be required to complete the CMMC certification via a third-party assessor. In order to create a unified standard for cybersecurity, a selection of controls will be combined, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and others.
Through CMMC, auditors can verify that required security controls, processes and procedures are being implemented by DoD contractors, versus allowing contractors to self-certify, which was allowed with NIST SP 800-171. In an effort to reinforce NIST 800-171 requirements, CMMC emphasizes auditing and monitoring processes to detect any incidents that may occur. There are five levels of cybersecurity within CMMC which range from basic cyber hygiene skills to advanced knowledge.
CMMC requirement from Level 1 to 5 will be specified in Sections L and M of every DoD RFP. Having proof of certification at that level will be a requirement to even submit a bid. This means that every prime and subcontractor who works for the DoD will be required to certify, at a minimum, at Level 1.
Putting a policy in place can help make the process easier if contractors wish to obtain a higher level of certification in the future.
The CMMC levels are as follows: Level 1: Basic Cyber Hygiene: implementation of 17 controls; Level 2: Intermediate Cyber Hygiene: implementation of 72 controls (includes Level 1 controls); Level 3: Good Cyber Hygiene: implementation of 130 Controls (includes Level 2 controls); Level 4: Proactive: implementation of 156 Controls (includes Level 3 controls); and Level 5: Advanced/Progressive: implementation of 171 Controls (includes Level 4 controls).
Gaining Success with CMMC
Similar to any compliance initiative, the success of CMMC is determined and supported by careful planning and interpretation of CMMC requirements at an organizational level.
By paying attention to guidance provided by compliance experts, core business processes can avoid any major disruptions.
Here are five tips for improving your success rate with CMMC.
1. Assess your current operations for compliance with NIST 800-171. If you’re new to compliance with Federal government and DoD procurement, reviewing this information provides context that’s important to know. Your assessment should cover all 14 families and 110 security requirements. It can be an internally led effort or executed by a third-party, but with CMMC eliminating self-certification, building a relationship with a third-party now is recommended.
2. Identify the right CMMC level for your organization. The majority of small and mid-sized companies will only require a Level 1 certification. However, any organization that handles CUI will require a Level 3 certification.
3. Carefully read through contracts and RFPs for cybersecurity requirements. It’s very important to read through all of the details. CMMC requirements will be stated in Sections L and M of RFPs. If you have questions, look to procurement or compliance experts.
4. Don’t skip scoping your boundary. Incorrectly scoping your boundary can create more work that can jeopardize your chances of achieving compliance. An experienced advisor can help you identify where your CUI or Federal Contract Information (FCI) is stored and processed.
5. Document, document, document. Document your System Security Plan (SSP) and your Plan of Action & Milestones (POAM). Your SSP describes your system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Your POAM identifies your deficiencies with NIST 800-171 and maps out how you will close these gaps. Documenting every policy and procedure and collecting evidence of implementation is critical for being able to demonstrate compliance with CMMC and achieving your goal CMMC level.
For more information on CMMC certification, contact Connie Palucka, Vice President, Consulting, Catalyst Connection | 412.918.4259 | email@example.com