In this blog, we discuss why achieving a Cybersecurity Maturity Model Certification , or CMMC gives the Department of Defense as well as other state and federal agencies, reassurance about a contractor's security practices and controls for securing data. Contractors who are competing for prime contracts or working as a subcontractor will have a distinct advantage based on having a CMMC certification. Eventually, every state and federal agency will require all contractors to be CMMC certified when dealing with controlled unclassified information (CUI). When this occurs, all major prime contractors throughout the supply chain will comply and flow down those requirements to their ecosystem of subcontractors. If you'd like to stay in the game and potentially gain footing with the primes or government agencies you are currently doing business with, it's highly recommended to start now. Obtaining a CMMC certification is a strong indicator to potential customers that you have in place the internal controls to manage performance risks.
In 2020, the Defense Department formally started rolling out a new approach to cybersecurity for its contractors: the CMMC. The CMMC is designed to ensure that those contracting with the DoD are practicing appropriate cybersecurity controls to secure the Defense Department's data.
The CMMC certification is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the networks of the DoD's contractors.
There are three levels of certification, ranging from basic cyber hygiene (Level 1) to advanced cybersecurity controls (Level 3). Any contractor doing business with the DoD will need to have a CMMC accreditation to receive future contracts. The DoD recently issued an interim rule on the CMMC in the Defense supplement to the Federal Acquisition Regulation.
The timeline for requiring all DoD contractors to achieve a level of CMMC compliance continues to slip to the right. The latest predictions are that full implementation will start in the summer of 2023. This shouldn't deter you from acting now. The time committed to installing a proper cybersecurity program within your organization can be intensive. By making a commitment to plan for these changes, you can put yourself at the front of the class and potentially be in the driver's seat for new contract awards in the future.
Investment in assessing and qualifying for CMMC compliance demonstrates a contractor's commitment to the DoD and other government agencies that it takes IT and data security extremely seriously, and that the contractor can be trusted to protect sensitive government data. Any contractor looking to demonstrate such integrity and rigor when it comes to securing government data would do well to achieve a level of CMMC accreditation corresponding to the type of work they are performing as soon as possible.
The CMMC Accreditation Body, (Cyber AB), a nonprofit, independent organization, is starting to accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors - those who will actually perform the CMMC assessments of DoD contractors. The Cyber AB thus far has completed the first provisional training of C3PAOs. The Cyber AB has also published draft guidelines outlining the requirements for the CMMC certification audit.
The provisional assessors will "shake out the program and what needs to be done before the training and certified assessors for the open market are released. The government has estimated that 7,500 companies will be certified in 2023.
What are assessors looking for when they look at a contractor's approach to cybersecurity? First, they are looking at what kinds of certifications a company has already achieved to see what its level of cybersecurity controls are. If a contractor has achieved ISO 28000 certification, demonstrating end-to-end secure supply chain controls, as well as ISO 27001 , which covers requirements for NIST-based information security management standards, this provides a great start for CMMC compliance. Achieving those certifications demonstrates to the C3PAOs a level of commitment to security controls and practices. If contractors do not have such certifications already, it may be difficult to achieve the required level of CMCC accreditation quickly.
C3PAOs are also looking to assess the kinds of controls a contractor has in place to protect DoD sensitive data (call it CUI for SEO), such as but not limited to, a build of materials or a schematic or other government data that is sent over as part of a contract. The contractor may have firewalled off the data and implemented multi-layered authentication controls to provide access to such data on a need-to-know basis. Implementing security controls around which personnel can try to access the data is an example of the type of practice that needs to be in place.
CMMC Levels 1 through 3 encompass the 110 security requirements specified in NIST SP 800-171 Rev.2 , which covers the protection of controlled unclassified information in nongovernment systems. There are additional controls built on top of that for the CMMC, and assessors look at not only a contractor's implementation of cybersecurity protection system, but also its institutionalization of cybersecurity practices.
Each DoD contractor is going to be at a different maturity level in terms of the cybersecurity controls it employs. That is based on the company's understanding of security controls and processes and how central they are to that company's business model. If you organization utilizes the services of a managed service provider (MSP) and the MSP has implemented relevant controls, then the contractor is able to claim credit for them.
Attaining a high-level CMMC accreditation is an excellent indicator that the contractor can meet the DoD's core cybersecurity objectives. Currently, a C3PAO needs to perform a separate evaluation of each contractor, on a task order by task order basis, to ensure that the contractors meet certain cybersecurity controls. The CMMC will mean specific DoD agencies no longer need to perform its own assessments. It also ensures that DoD will have a pool of accredited suppliers that have already been vetted and meet the necessary controls.
The CMMC 2.0 will be rolled out initially on targeted contracts, and those that have achieved a level of certification will be in a strong position to participate in those. Eventually, the CMMC process will be applied in the years ahead to agencies outside the DoD. That makes being able to demonstrate compliance even more valuable for contractors, especially as they perform more services for agencies and conduct operations onsite with them.
The CMMC process is not simple. Companies cannot attain a high-level CMMC accreditation by taking a cookie-cutter approach to cybersecurity. That is not how security in the government contracting world works. However, for those looking to contract with the DoD as well as other state and federal agencies, mastering it is essential.
Your first step should be to review the CMMC 2.0 requirements. If you have not done this, it's not too late to get started. Below is a list of suggested next steps. Once you've completed all the tasks listed below ... you should be ready for an independent audit.
Attaining certifications requires commitment and investment that pays off when it comes time to receive an accreditation. Government agencies trust contractors with CMMC certification to protect their data because they know about the rigorous security controls that have been put in place to secure their data. Gaining that trust via an accreditation like the CMMC demonstrates the company's commitment to security and strengthen its value as a trusted partner.
In a related blog, we discuss Utilizing Managed Services for Fractional CISO Support to outsource the entire compliance process. Service providers, such as AtWork Systems, provide both the governance, risk, and compliance (GRC) tools as well as the security resources needed to continuously assess and monitor compliance. Selecting the right managed service provider (MSP) can provide a significant step forward, allowing the contractor to leverage processes and systems that have already been certified.
AtWork Systems provides a SaaS based GRC tool as well as in-house security team of experts and entire organization dedicated to security controls.