If you are a contractor for the US Department of Defense (DoD), you’ve probably already prepared for Cybersecurity Maturity Model Certification (CMMC). The CMMC 2.0 is a program that measures organizations’ cybersecurity maturity level and identifies whether a contractor's security protocols meet government standards.
The CMMC 2.0 compliance measures overlap with the Defense Federal Acquisition Regulation Supplement (DFARS) compliance program, which includes systems operated by or for a contractor, including processing, storage, and transmission of defense information.
It’s essential to know the key differences between CMMC 2.0 and DFARS compliance. And to become CMMC 2.0 certified, you need to take these steps:
- Ensure compliance with the NIST 800-171
Start by ensuring your organization’s compliance with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). The NIST SP 800-171 is a set of CMMC cybersecurity control requirements for protecting controlled unclassified information (CUI). Government publications like the NIST SP 800-171 share similarities with the CMMC 2.0 mandates in maintaining security controls. That means compliance with NIST SP 800-171 puts you one step closer to being CMMC 2.0 compliant.
- Align your timelines with the CMMC 2.0 Cybersecurity
By now, you should have already identified your organization’s CMMC 2.0 maturity level. CMMC 2.0 maturity levels indicate a contractor’s level of capability to comply with CMMC measures based on set controls.
Knowing your maturity level makes you better prepared to plan your certification process. Since October 2020, holding the appropriate CMMC maturity level certification will determine contractors' and subcontractors' eligibility to be approved for a DoD contract.
- Familiarize yourself with Third-Party Assessment Organizations (3PAOs)
Your CMMC 2.0 maturity needs to be signed off by 3PAOs, which are organizations qualified to perform security assessments on cloud-based systems.
Although you may conduct your own internal assessments and implement security controls that align with CMMC 2.0 standards, a 3PAO will still need to be involved in the compliance process. It's essential to become familiar with these assessors, as they will evaluate your target maturity level’s conditions, and many of them also assess contractors for NIST compliance.
In some instances, the DoD may conduct assessments for high-level CMMC 2.0 certifications. If you fall under this assessment category, coordinate with assessors from the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
- Identify the level of CMMC 2.0 cybersecurity compliance for your organization
Government agencies will select contractors for a project and choose organizations that meet the level of security required for it. Note that contracts will be awarded only to companies that have the appropriate CMMC 2.0 maturity level. That is why it’s important that companies know the three maturity levels for CMMC 2.0 compliance and understand how every level builds on the foundation of previous levels.
Here’s a summary of the three levels of the CMMC 2.0 model:
To learn more about the Cybersecurity Maturity Model version 2.0 and its different levels, read our in-depth article, “CMMC 2.0 CERTIFICATION: EVERYTHING DoD CONTRACTORS NEED TO KNOW TO ADHERE TO REVISED PRIVACY STANDARDS”.
If your organization needs help preparing for CMMC 2.0 audit and certification, consult Charles IT’s compliance experts. We’ll help guide you through the entire process of becoming CMMC 2.0 certified so you can take on the contracts your business needs. Get started with Charles IT today.
Editor's Note: This blog was originally published on August 28, 2020. It was edited for accuracy on July 30, 2023.