Contracting with the Department of Defense is a great opportunity to grow your manufacturing business. However, before landing your first contract with the DoD, you’ll need to meet a slew of regulatory compliance requirements. For manufacturing firms new to the game and with no expertise in this area of business, these requirements pose a real challenge. While manufacturing firms who have experience working with the DoD have some advantage, failing to keep up with recent changes can still prove disastrous--in some cases even result in them losing their contracts.
CMMC Requirements - an overview
The Cybersecurity Maturity Model Certification (CMMC) is a recently announced regulatory process which will be in full effect some time in late 2020. This new regulation is created to supplement the DFARS and NIST 800-171 regulations for the careful handling of controlled unclassified information (CUI).
The CMMC will fully replace self-certification in determining which DoD contract bidders are compliant with the standards set by the NIST 800-171. The process will require companies contracting with the DoD to coordinate with an independent accredited third party auditor to acquire this certification.
Who needs to comply with the CMMC requirements?
The CMMC cybersecurity requirements are a new set of strict audits designed to make sure all manufacturers and suppliers who sell to the DoD meet minimum cybersecurity requirements.
Starting in late 2020 (though a delay to early 2021 may be expected due to COVID-19), any business that contracts with the DoD, or subcontracts with a business that sells to the DoD, will need to be CMMC certified. Businesses that deal with or generate CUI will need at least a Level 3 CMMC certification.
It’s important to note that CMMC requirements don’t replace DFARS regulations. In fact, every DoD contractor that deals with CUI still runs the risk of losing their contracts if they do not comply with the minimum security requirements of DFARS.
The CMMC requirements can be seen as a supplement to DFARS regulation, where an independent third-party audit by a certified auditor will now be required. Controls laid out in the NIST SP 800-171 guidelines, as well as new additional controls, will be evaluated along with the company’s institutional capacity to follow cybersecurity best practices.
How to meet the CMMC requirements
CMMC certification requires your company to pass an audit from a third-party auditor, accredited by the CMMC accreditation board. Delays in passing the certification may hamper your business’s ability to work with the DoD -- and given that this is a new process, it’s possible there might be a backlog of audits when it starts.
To ensure that you’re fully prepared for your CMMC audit, you’ll need to conduct a gap analysis and assessment of your current cybersecurity practices. Whether you’re looking to conduct this analysis in-house or with the help of a third party, you will first need to identify which certification level you’ll be required to acquire for the type of contract you’re bidding for.
There are five levels of CMMC certification ranging from Level 1 (basic cybersecurity hygiene) up to Level 5 (advanced and progressive cybersecurity hygiene). Contractors dealing with CUI will need to be certified at Level 3 or above. This will require reviews of current cybersecurity controls, a gap analysis, and stringent adherence to the matching NIST SP 800-171 requirements.
For more information on CMMC certification levels and which certification level your company needs to acquire, check out this article.
CMMC Audit Process
In order to get certified, you have to pass a CMMC audit for the specific certification level you’re trying to reach (and all levels that precede that). This audit will be conducted by a CMMC Third Party Assessment Organization (C3PAOs). A regularly updated list of those organizations and individuals will be posted on the CMMC Accreditation Body website. There will also be a CMMC marketplace that will allow organizations access to a list of approved C3PAOs.
Once the C3PAOs are determined, you will need to engage with one to conduct an audit of your cybersecurity maturity. Once you pass, the DoD will have access to your certification level and will be able to determine whether or not you’re qualified for a specific contract. A CMMC certificate will be valid, in general, for three years.
Preparation tips to ace your CMMC requirements
To be fully prepared for your CMMC audit, you’ll want to keep your eye on updates as the CMMC process gets rolled out. Appointing someone from your organization to be your designated CMMC leader would be a smart move. Your appointed CMMC leader will then be responsible for keeping up with updates, scrutinizing each area of your cybersecurity hygiene, and identifying your company’s preparedness for an audit. Needless to say, that person will also need to be fully equipped with everything there is to know about the CMMC requirements, so make sure that they read our guide to CMMC compliance requirements.
If you’re unsure whether a current employee has all the necessary expertise required to get your company certified, you can instead consult with a trusted expert on DFARS regulations, like Charles IT. Since NIST SP 800-171 requirements make up a large part of the CMMC certification process, it makes sense to work with a trusted provider who has extensive experience with DFARS compliance.
Whether you choose to take on this challenge in-house or elect the assistance of expert consultants, you will need to do the following in order to increase your chances of successfully meeting your CMMC requirements:
- identify where your current cybersecurity maturity is and where you want to be;
- conduct a gap analysis to figure out which areas of your current cybersecurity hygiene need to be improved or strengthened before you are equipped to reach your desired certification level;
- formulate a plan of action to fill in the gaps that you’ve identified; and,
- implement the necessary cybersecurity upgrades to protocols and processes to meet the requirements of your desired certification level.
Your company’s ability to conduct business with the DoD is on the line if you don't pass your audit. You need to get that certification on your first CMMC audit so that you don’t lose any critical time and revenue preparing for and conducting reassessments. Make sure that you do everything right the first time. Start with a gap assessment.