10 Things You Need to Know About CMMC

The "Cybersecurity Maturity Model Certification" (CMMC) is a new DoD program to verify that contractors are protecting their unclassified information. This includes safeguarding contract-related information categorized as "controlled unclassified information" CUI and or "federal contract information" FCI.

In the past, only companies with contracts involving the handling of CUI had to meet cybersecurity requirements. This required them to put in place the NIST SP 800-171 family of cybersecurity controls (see DFARS 252.204-7012). These companies would "self-attest" to having met their cybersecurity requirements. Any requirements not implemented were documented in a plan of action & milestones (POA&M) to be completed later. All their security controls were documented in a system security plan (SSP).

With CMMC you can no longer "self-attest" to meeting your DoD cybersecurity requirements. You will undergo a third-party assessment that will determine if you meet your contract's cybersecurity requirements. There are five CMMC levels, with one being the easiest and five being the most difficult.

CMMC requirements will apply to over 300,000 companies with DoD contract. However, there is an exception for companies selling Commerical-Off-The-Shelf (COTS) products. ALWAYS CHECK YOUR CONTRACT to determine if CMMC applies to you. Requirements will begin to appear in RFIs in mid 2020 and in RFPs in late 2020. The DoD hopes to have all 300,000 companies in the defense industrial base certified within the next 5 years.

As of yet, non-DoD contracts do not require CMMC. There has been talk that the rest of the federal government may adopt it in the coming years.

Much of NIST SP 800-171 has been integrated into CMMC. As a matter of fact, almost all the controls for CMMC levels 1-3 are drawn from NIST SP 800-171.

CMMC comes with a new cybersecurity framework. It includes "practices" and "processes". Practices are the security controls your company needs to implement. Processes are how your company impelemnts its practices. The more "institutionalized" your processes are, the more mature your cybersecurity program is. CMMC will gauge your company's cybersecurity maturity level. There are five maturity levels. Maturity levels are new with CMMC, NIST SP 800-171 did not have maturity levels.

There are five CMMC levels. Most contractors will have to meet level one or two CMMC requirements.

Level 1: perform 17 cybersecurity practices.
Level 2: perform and document 72 practices.
Level 3: perform, document, and manage 130 practices.
Level 4: perform, document, manage, and review the effectiveness of 156 practices.
Level 5: perform, document, manage, review, and optimize 171 practices.

If you currently have DFARS clause 252.204-7012 in your contract you will likely have a CMMC requirement of level 3 or higher. If you do not have any cybersecurity requirements associated with your DoD contract you will likely have a level one or two requirement. To be sure to always check your contract.

You need to undergo an official CMMC assessment by a certified third party auditor. As of now (May 2020) this is not possible because there are no certified third-party auditors. The certification process will become clearer in the coming months.

The DoD said that "the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.". Translation: The DoD is only paying for your CMMC certification. They are not paying for the cost it takes to actually implement your cybersecurity requirements. So all your man-hours, software licensing, and equipment costs will be on you.

Be proactive.

If you have a DoD contract requiring the implementation of NIST SP 800-171 (DFARS clause 252.204-7012) then continue implementing it.

If you have a DoD contract that doesn't have DFARS clause 252.204-7012 you should start implementing CMMC level 1. These are practices you should be doing anyway and will prepare you in case you have to implement a higher CMMC level.

We simplified CMMC preparation into a three-step process with an easy to use web app. Via our app, our cybersecurity team conducts a gap analysis of your cybersecurity program and creates a project plan for meeting your CMMC requirements.