If you are a contractor for the US Department of Defense (DoD), you’ve probably already prepared for Cybersecurity Maturity Model Certification (CMMC). The CMMC is a program that measures organizations’ cybersecurity maturity level and identifies whether a contractor's security protocols meet government standards.
The CMMC compliance measures overlap with the Defense Federal Acquisition Regulation Supplement (DFARS) compliance program, which includes systems operated by or for a contractor, including processing, storage, and transmission of defense information.
It’s essential to know the key differences between CMMC and DFARS compliance. And to become CMMC certified, you need to take these steps:
- Ensure compliance with the NIST 800-171
Start by ensuring your organization’s compliance with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). The NIST SP 800-171 is a set of CMMC cybersecurity control requirements for protecting controlled unclassified information (CUI). Government publications like the NIST SP 800-171 share similarities with the CMMC mandates in maintaining security controls. That means compliance with NIST SP 800-171 puts you one step closer to being CMMC compliant.
- Align your timelines with the CMMC Cybersecurity
By now, you should have already identified your organization’s CMMC maturity level. CMMC maturity levels indicate a contractor’s level of capability to comply with CMMC measures based on set controls.
Knowing your maturity level makes you better prepared to plan your certification process according to the recommended CMMC timeline:
- January 2020: The following CMMC information is released: CMMC levels, requirements for every level and independent CMMC certifiers and Third Party Assessment Organizations’ (3PAO) training materials.
- February–May 2020: Assessors undergo CMMC certification training to perform assessments and understand the requirements for all CMMC maturity levels.
- June–September 2020: Contractors’ requests for proposal (RFP) and requests for information (RFI) are approved based on their CMMC certification. During this period, only a certain number of contractors will be selected for initial CMMC audits.
- October 2020 onward: From this point onward, holding the appropriate CMMC maturity level certification will determine contractors’ and subcontractors’ eligibility to be approved for a DoD contract.
- Familiarize yourself with Third-Party Assessment Organizations (3PAOs)
Your CMMC maturity needs to be signed off by 3PAOs, which are organizations qualified to perform security assessments on cloud-based systems.
Although you may conduct your own internal assessments and implement security controls that align with CMMC standards, a 3PAO will still need to be involved in the compliance process. It's essential to become familiar with these assessors, as they will evaluate your target maturity level’s conditions, and many of them also assess contractors for NIST compliance.
In some instances, the DoD may conduct assessments for high-level CMMC certifications. If you fall under this assessment category, coordinate with assessors from the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
- Identify the level of CMMC cybersecurity compliance for your organization
Government agencies will select contractors for a project and choose organizations that meet the level of security required for it. Note that contracts will be awarded only to companies that have the appropriate CMMC maturity level. That is why it’s important that companies know the five maturity levels for CMMC compliance and understand how every level builds on the foundation of previous levels.
Here’s a summary of the five levels of the CMMC model:
|
Level 1: Basic Cybersecurity Hygiene |
There’s no requirement to document security processes, and it is the easiest level to achieve. |
|
Level 2: Intermediate Cyber Hygiene |
Security processes must be processed and documented. |
|
Level 3: Good Cyber Hygiene |
Most contractors aim to achieve this level since this is the minimum level that allows companies to handle CUI. |
|
Level 4: Proactive Cyber Hygiene |
Achieving this level requires meeting the requirements from Level 1–3 and additional cybersecurity measures. |
|
Level 5: Advanced and Progressive Cyber Hygiene |
The highest level of certification requires the demonstration of sophisticated cybersecurity capabilities to safeguard CUI from advanced persistent threats. |
To learn more about the Cybersecurity Maturity Model and its different levels, read our in-depth article, “The Levels of the Cybersecurity Maturity Model Certification Explained”.
If your organization needs help preparing for CMMC audit and certification, consult Charles IT’s compliance experts. We’ll help guide you through the entire process of becoming CMMC certified so you can take on the contracts your business needs. Get a quote today.
