Before you start: Understand the Cybersecurity Maturity Model Certification (CMMC) framework
CMMC basics
What is the Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) is a set of cybersecurity standards against which a DoD contractor’s capability to handle Controlled Unclassified Information (CUI) will be evaluated.
Who needs to be certified?
Any manufacturer or supplier that contracts or seeks to win a contract with the DoD, whether directly or indirectly, will need to be certified under the CMMC model. In practice, any contractual data generated by the DoD is CUI, so acquiring at the very least a CMMC level 3 certification would be required of any contractors seeking to win or keep a contract with the DoD.
Get familiar with the CMMC levels and controls
You’ll want to get familiar with the basic CMMC levels and controls. There are five levels, ranging from basic cybersecurity hygiene (the minimum required to bid on federal contracts) to advanced and progressive cybersecurity hygiene (meant to repel advanced state-based persistent threats).
Get familiar with the certification process
The CMMC certification process is one that a lot of contractors are going to try their hardest to be successful. Make sure that you’re at or above the level of your competitors here by becoming familiar with CMMC and how to get CMMC certification.
CMMC Third Party Assessment Organization (C3PAO)
A CMMC Third Party Assessment Organization (C3PAO) is a third-party auditing organization chosen by the DoD to be able to give CMMC audits and certifications. The DoD will also provide a marketplace of vetted C3PAO organizations that are able to make CMMC assessments.
Process overview
The process to succeed at the Cybersecurity Maturity Model Certification involves getting familiar with the CMMC, aiming for the right level of CMMC certification, doing gap assessments or internal audits, making changes to security controls, and then working with a third-party to conduct the official audit.
Cost
The estimated cost of the certification process is listed in this National Defense magazine article. However, you should budget time and money for securing your systems and implementing controls, as well as any external audits. Since the ability to bid on DoD contracts is on the line, you’ll want to make sure your CMMC process is well-resourced and that you meet CMMC requirements as soon as possible.
Steps to take to ensure CMMC audit success
Step 1: Use existing guidelines to review your current cybersecurity maturity
Check your compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171 regulations. This will give you a good baseline to see what controls you’ve implemented and which ones you might look to implement in the future. 85% of level 3 CMMC certification depends on NIST 800-171 security controls, so it is a good way to start with DFARS compliance to evaluate your current compliance with CMMC requirements.
Step 2: Identify the gaps in your security protocol and determine what needs to be strengthened and/or improved
Determine which security controls you need to implement, ideally after a gap assessment from a third party. Strengthen controls required for the CMMC level you’re aiming to certify for. For most contractors with the DoD, that’s a level 3 certification, which allows handling of CUI.
Step 3: Assess your business’s ability to fill in the gaps identified (can you do it inhouse?)
Assess whether you’re fit to implement any needed security controls. Consider electing external help with critical services like endpoint encryption, external vulnerability scanning and backup and disaster recovery.
Step 4: Create a plan that will be sustainable in the long-term
Create a plan that lays details such as company protocols, responsibilities of employees, the security solutions needed and their cost. With a detailed plan, you’ll be able to identify whether you have the manpower or budget to sustain the upgrades to your cybersecurity in the long-term. It will also help you decide whether it would be best for you to outsource these solutions or set them up yourself with your own resources.
Step 5: Implement the plans and start step 1 again
Check to see if the plans you’ve implemented actually got you closer to CMMC compliance. You can do this by reviewing your refreshed cybersecurity protocols and identifying any further gaps that need to be filled.
Identifying and filling in gaps in your cybersecurity is an ongoing process. Merely implementing a group of security solutions will not help maintain CMMC compliance. You and your team needs to be informed and have access to proper channels of communications and support to ensure that your cybersecurity hygiene is operating at the optimum level.
If you want to start the process, a good way to start is a gap assessment from an IT service provider that is familiar with the DFARS and NIST 800-171 security controls and evolving CMMC standards. Start your gap assessment now.
NOTE: In 2024, everyone will be required to move from CMMC to CMMC 2.0. Ensure you are prepared with our CMMC 2.0 Guide and let us know if we can help talk you through anything!
Editor's Note: This blog was originally published on August 10th, 2020. It was updated on June 30th, 2023 for accuracy.