On January 31, 2020, the US Department of Defense (DoD) rolled out the long-awaited Cybersecurity Maturity Model Certification (CMMC). So if you’re a DoD contractor, how does the CMMC affect you, and what should you do now to prepare for implementation? Here’s a rundown of everything you need to know.
What is the CMMC?
The CMMC is essentially the DoD’s way of checking that contractors have sufficient cyber security in place to handle military contracts. It’s a pretty big change from before. Previously, all you had to do was self-certify your compliance readiness under a different set of regulations called NIST 800-171. Now, you need to prove you meet specific standards set out in the CMMC before you can bid on a contract or perform a task in the supply chain.
There are 5 maturity levels of CMMC compliance:
- Basic Cyber Hygiene
- Intermediate Cyber Hygiene
- Good Cyber Hygiene
- Advanced or Progressive
In short, every DoD contractor must meet level 1, but only level 5 companies can handle the most sensitive military data.
Our expectation is that most contractors will decide to pursue level 3 in order to bid on lucrative contracts. You can, of course, improve your rating over time.
Who does the certification apply to?
The CMMC applies to any DoD contractor in the supply chain. So, it doesn’t matter if you’re the lead contractor, or a subcontractor very far along the chain – you need some level of CMMC certification to perform the contract.
Not every contractor will need to demonstrate the same level of CMMC compliance. In other words, the lead contractor will probably need a higher certification level than a subcontractor handling a very small part of the contract. However, its important to keep in mind that each DoD contract will soon begin stating CMMC level requirements. Without have that certification level, the contractor won’t be eligible to bid on new contracts nor potentially maintain existing ones.
For now, it’s time to start preparing certification because its typically a 4-6 month process. It all starts with a CMMC gap analysis and readiness plan.
What should be in my gap analysis plan?
A gap analysis plan basically shows if you are ready for a compliance audit. In other words, it shows you if there is a gap between where you are in terms of cyber security and where you need to be.
Once you know where you stand, you can devise a cyber readiness plan to bridge any gaps you identify. So how do you perform a gap analysis? By following these simple steps.
- Identify what you hope to achieve, i.e. your desired certification level.
- Confirm what cybersecurity standards you must meet to achieve this certification. For example, if you want level 3 certification, you need a clear plan documented for monitoring, identifying, and responding to cyber threats. There are 130 required practices at this level.
- Compare your existing cybersecurity environment against the requirements. Are there any gaps you need to fill? Where does your company stand?
- Compile your findings and create a strategy for plugging holes in your security readiness, called a Remediation Plan.
A solid gap analysis is the first step to achieving CMMC compliance.
How do I get certification?
With a completed gap analysis and remediation plan, now you’re ready to get certified and bid on DoD contracts. The next steps are:
- Execute the Remediation Plan – technology items & policy and procedure items
- Build all CMMC required documentation (ie SSP, POAM)
- Schedule an appointment with a CMMC accredited auditor (C3PAO)
- If you pass, a CMMC certificate is issued by the CMMC-AB which is valid for 3 years.
Don’t rush the process but understand its not quick – so get started now!