The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework created by the Office of the Under Secretary of Defense for Acquisition and Sustainment or OUSD(A&S). This new security framework was designed to ensure all contractors and subcontractors working for the United States Department of Defense (DoD) have sufficient cybersecurity measures to safeguard federal contract information (FCI) and controlled unclassified information (CUI).
The CMMC model combines cybersecurity control requirements from NIST 800-171, ISO 27032, ISO 27001, and NIST SP 800-53, to create more coordinated and detailed cybersecurity standards for DoD contractors. And unlike other security standards, a certified third-party CMMC auditor will perform the assessment before compliance can be achieved.
All new DoD contract requests for information (RFIs) and requests for proposal (RFPs) require CMMC compliance. If your company is CMMC certified, it will have a competitive advantage over other businesses, and it has a better chance of landing DoD contracts, as well as retaining them.
Besides winning and keeping DoD contracts, your CMMC-certified company can:
If your company is not CMMC certified, it can be prohibited from participating, bidding, and winning a DoD contract.
The CMMC framework uses a tiered system to determine your company's maturity based on the complexity of your cybersecurity protocols and policies. The DoD will assign the level of certification your company needs, and it's your responsibility to meet the specific requirement of that level and the ones below it. Here is a list of the different CMMC levels, and their respective CMMC requirements.
The DoD has not yet completed the details of the CMMC audit process, but the following are worth noting:
Unlike the Defense Federal Acquisition Regulation Supplement (DFARS) where self-certification is allowed, the CMMC model requires contractors to go through an assessment performed by a C3PAO. Here are some tips you can use to ensure you'll pass your CMMC compliance audit.
Preparing for a CMMC compliance audit is just like preparing for any type of exam — you need to get ready as soon as possible to ensure your systems are ready for the audit. Here's how you can do that:
If your organization has an IT staff and available resources, you can perform a self-assessment using the Self-Assessment Handbook - NIST Handbook 162.
You also have the option to work with a CMMC consultant. A CMMC consultant will help you meet the controls stated in NIST SP 800-171 Rev. 1 and Rev. 2. Working with a consultant who understands the factors involved in becoming CMMC compliant will take most of the pressure off your shoulders.
Getting a gap assessment is a good way of identifying weaknesses and gaps in your IT infrastructure. Charles IT's gap assessment will ensure that your business has the minimum security requirements in place to comply with CMMC standards. Want to pass your CMMC audit the first time? Start with a gap assessment: https://www.charlesit.com/gap-assessment/
Editor's Note: This blog was originally published on August 17, 2020. It was edited for accuracy on July 30, 2023.