The Department of Defense (DoD) is expecting all companies working in its industrial base to comply with the requirements of the Cybersecurity Maturity Model Certification (CMMC) Version 1.0 by next year. This is part of the Pentagon's plan to safeguard controlled unclassified information (CUI) and industrial base networks from cyberattacks.
What Is the CMMC?
The CMMC is a security framework that uses a tiered system to determine the cybersecurity maturity of DoD contractors. It was created in response to a DoD data breach that exposed the information of 30,000 employees. In addition to having a new tiered system, CMMC differs from other security standards such as NIST SP 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS) in that it doesn't have a self-certification process.
While previous security standards allowed contractors to perform self-certification, many falsified their compliance and continued to work on government projects despite not having the proper cybersecurity measures in place. With the implementation of the CMMC, contractors know how to be audited by certified third-party assessor organizations (C3PAOs) before they can be certified.
Contractors that fail the DoD CMMC audit will be prohibited from bidding and working on government contracts. The full implementation of the CMMC framework will gradually be rolled out through 2026, but contractors must be certified before the end of 2020 before they can bid on government contracts.
How Can Your Company Prepare for DoD CMMC Certification?
Even if the full implementation of the DoD CMMC standard will take around five years, your company should start preparing for the upcoming audit as early as now. Here's what your organization must do to start its CMMC compliance efforts:
- Identify what CMMC maturity level your business needs. From there, you can start learning about the cyber hygiene requirements of that CMMC level.
- Create a budget for your CMMC compliance requirements. It should include the expenses for improving your security requirements, updating processes, and working with a C3PAO.
- Start implementing NIST SP 800-171 security controls to your existing infrastructure based on your assigned DoD CMMC level.
- Create a Plan of Action & Milestones (POA&M). This will help you organize resource requirements and timelines, as well as maintain compliance with NIST SP 800-171 and other security standards.
The next step is to perform a self-assessment to see if you've met all the CMMC certification requirements, or if your company still has gaps and weak spots in its cybersecurity protocols. There are two ways you can do this:
- In-House Assessment
This is ideal for contractors with the necessary resources and their own IT staff. They can use the Self-Assessment Handbook - NIST Handbook 162 as a guide. The handbook outlines the requirements as stated in NIST SP 800-171 Rev. 2. However, this is only good for up to a Level 3 certificate.
Prior to conducting an in-house assessment, contractors should be aware that they should be prepared to pass their CMMC audit on the first try. Companies who fail their initial audit stand to lose valuable time resolving cybersecurity gaps found during the audit.
- Outsourced Assessment
Many contractors prefer to outsource their self-assessment to a CMMC consultant, especially those that need a CMMC certificate higher than Level 3. This is because CMMC consultants possess the knowledge and tools necessary to help contractors comply with NIST SP 800-171 Rev. B requirements — something the NIST Handbook does not offer.
Gap and Readiness Assessment
Once the self-assessment is complete, you need to partner with a reliable managed IT services provider like Charles IT to conduct a gap and readiness assessment. Our gap assessment will provide contractors with a detailed report about how close they are to meeting their CMMC level requirements. This assessment will review processes such as:
- How sensitive government data is stored and accessed
- How security protocols and incident response plans are implemented and maintained
- How personnel are trained with regard to cybersecurity best practices
If any security gaps are identified, we will help contractors come up with a remediation plan to resolve those issues. This plan will include:
- Detailed reports on how security weaknesses were uncovered
- How to address security issues
- A timeline to fix all cybersecurity weaknesses
With the help of Charles IT's highly trained security team, your company will be well prepared for its CMMC audit. Start your gap assessment now.