The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework created by the Office of the Under Secretary of Defense for Acquisition and Sustainment or OUSD(A&S). This new security framework was designed to ensure all contractors and subcontractors working for the United States Department of Defense (DoD) have sufficient cybersecurity measures to safeguard federal contract information (FCI) and controlled unclassified information (CUI).
The CMMC model combines cybersecurity control requirements from NIST 800-171, ISO 27032, ISO 27001, and NIST SP 800-53, to create more coordinated and detailed cybersecurity standards for DoD contractors. And unlike other security standards, a certified third-party CMMC auditor will perform the assessment before compliance can be achieved.
Why You Need to Be CMMC 2.0 Compliant
All new DoD contract requests for information (RFIs) and requests for proposal (RFPs) require CMMC compliance. If your company is CMMC certified, it will have a competitive advantage over other businesses, and it has a better chance of landing DoD contracts, as well as retaining them.
Besides winning and keeping DoD contracts, your CMMC-certified company can:
- Lower the risk of data breaches
- Reduce the risk of insider threats
- Be compliant with other regulations, including FISMA, SOX, HIPAA, and NIST
If your company is not CMMC certified, it can be prohibited from participating, bidding, and winning a DoD contract.
What Are the CMMC 2.0 Requirements?
The CMMC framework uses a tiered system to determine your company's maturity based on the complexity of your cybersecurity protocols and policies. The DoD will assign the level of certification your company needs, and it's your responsibility to meet the specific requirement of that level and the ones below it. Here is a list of the different CMMC levels, and their respective CMMC requirements.
What Does the CMMC 2.0 Audit Look Like?
The DoD has not yet completed the details of the CMMC audit process, but the following are worth noting:
- All contractors working for the DoD are required to be CMMC certified by passing a CMMC compliance audit. The CMMC Accreditation Body (AB) recommends that contractors should prepare for the audit at least six months in advance.
- The DoD will work with certified third-party assessor organizations (C3PAOs) that will be responsible for performing audits to ensure a contractor has met all the required cybersecurity controls needed for a specific level.
- A contractor will be level certified if the CMMC auditor sees it meets all the requirements specific to that level.
- The Defense Contract Management Agency (DCMA) and the Defense Counterintelligence and Security Agency (DCSA) may perform assessments in addition to C3PAOs.
Tips to Pass Your CMMC 2.0 Audit
Unlike the Defense Federal Acquisition Regulation Supplement (DFARS) where self-certification is allowed, the CMMC model requires contractors to go through an assessment performed by a C3PAO. Here are some tips you can use to ensure you'll pass your CMMC compliance audit.
Start Today
Preparing for a CMMC compliance audit is just like preparing for any type of exam — you need to get ready as soon as possible to ensure your systems are ready for the audit. Here's how you can do that:
- Self-Assessment
If your organization has an IT staff and available resources, you can perform a self-assessment using the Self-Assessment Handbook - NIST Handbook 162.
- Work With a CMMC Consultant
You also have the option to work with a CMMC consultant. A CMMC consultant will help you meet the controls stated in NIST SP 800-171 Rev. 1 and Rev. 2. Working with a consultant who understands the factors involved in becoming CMMC compliant will take most of the pressure off your shoulders.
Get a Gap Assessment
Getting a gap assessment is a good way of identifying weaknesses and gaps in your IT infrastructure. Charles IT's gap assessment will ensure that your business has the minimum security requirements in place to comply with CMMC standards. Want to pass your CMMC audit the first time? Start with a gap assessment: https://www.charlesit.com/gap-assessment/
Editor's Note: This blog was originally published on August 17, 2020. It was edited for accuracy on July 30, 2023.