An Introduction to the CMMC Certification
The Defense Industrial Base (DIB) sector provides products and services that are essential to the military operations of the United States Department of Defense (DoD). As such, the sector keeps intellectual property and sensitive information — officially categorized as federal contract information (FCI) and controlled unclassified information (CUI) — that are highly sought after by cybercriminals. If DIB companies fall victim to a cyberattack, this increases the risk to national security.
Definition of Terms:
“Federal contract information (FCI) is any information provided by or generated for the Government under contract not intended for public release.”
“Controlled unclassified information (CUI) is any information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.”
To enhance the cybersecurity posture of the DIB sector, the Office of the Under Secretary of Defense for Acquisition and Sustainment developed the Cybersecurity Maturity Model Certification (CMMC) framework.
What Is CMMC?
The CMMC model measures the cybersecurity maturity of an organization by assigning it a maturity level ranging from 1 to 5, with 5 being the highest.
By classifying its vendors into different levels, the DoD ensures that contracts are awarded to vendors that have the appropriate levels of cybersecurity practices and processes in place. For example, only those who achieve at least the CMMC Certification Level 3 can handle projects that deal with CUI.
Who Needs to Obtain CMMC Certification?
Currently, the DoD requires its contractors to meet Defense Federal Acquisition Regulation Supplement (DFARS) compliance. But the department will soon require all of its vendors — some as early as September 2020 — to pass the CMMC.
Further reading: Know the Difference Between DFARS and CMMC
FAQ: Does my company still need to be CMMC-compliant if it does not handle CUI?
If you don’t possess CUI but handle FCI, then you must at least achieve CMMC Certification Level 1. But companies that solely produce commercial off-the-shelf (COTS) products do not have to get CMMC certification.
FAQ: Do DoD subcontractors also have to meet CMMC compliance?
Yes, except if your company solely produces COTS products. Otherwise, the CMMC certification level that you need to achieve depends on the type and nature of information that flows from your prime contractor.
Did you know that the General Services Administration’s $50 billion STARS III contract posted in July already requires CMMC?
How Can You Achieve CMMC Compliance?
Unlike DFARS’s self-certification, only accredited CMMC third-party assessment organizations (C3PAOs) and individual assessors who will undergo a CMMC certification training can perform CMMC assessments. But beware of fake CMMC auditors! Only the CMMC Accreditation Body (CMMC AB) is authorized to provide a CMMC certification training and the accreditation, and they've only opened the accreditation process to applicants on June 22.
As of this writing, CMMC-AB is eyeing either late 2020 or early 2021 as the time frame for their accreditation educational program and will hence publish a list of approved assessors on their CMMC Marketplace. Once the listing is provided, DIB companies will be able to pick an accredited CMMC auditor and schedule a CMMC assessment for a specific level.
What Can I Do Now to Prepare for CMMC?
Just because you can’t schedule a CMMC assessment yet doesn’t mean you can’t do anything but wait. A great starting point is to undergo a gap assessment. This step will help you determine the existing weaknesses and potential danger spots in your company’s cybersecurity posture.
When devising a plan to remediate these security vulnerabilities, make sure that you meet at least the minimum security requirements of your targeted CMMC certification level. The DoD has already released the technical frameworks that each level adopts, which are based on existing ones such as the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 and NIST 800-171.
Implementing the cybersecurity best practices and processes stipulated in these existing frameworks will put you on the right track to achieving your CMMC certification. While this sounds easy, complying with these security standards can become a herculean task, especially for small- and medium-sized businesses (SMBs) that have limited budgets and/or no internal staff with technical expertise.
Fortunately, SMB owners like you can turn to Charles IT. We offer cost-effective compliance and security assessment services that will ensure that your company is compliant with all necessary industry regulations and standards. Get started by availing our gap assessment!