The Cybersecurity Maturity Model Certification (CMMC) requirements are part of the Pentagon’s mandate to protect industrial base networks and controlled unclassified information from cyber attacks. Posed to impact every company within the Defense Department’s supply chain—not just the defense industrial base—CMMC could affect as many as 300,000 contractors, including many small businesses in our area.
The below Q&A can help clear up some misinformation in the market surrounding CMMC.
How did CMMC come about?
The DoD formally announced the CMMC in June 2019, citing a MITRE report from late 2018 that found an overwhelming majority of government contractors were not meeting the requirements of DFARS 252.204-7012, and that less than one percent of companies were compliant with NIST SP 800-171 self-certification.
The DoD has worked with private industry to create a 5-level cybersecurity maturity model that will require nearly all DoD contractors to be certified within the next five years. Implementing the practices and achieving maturity levels is especially worrisome for small- and mid-sized businesses (SMB). The CMMC was designed so that an SMB could implement the controls independently. However, in practice, many lack the expertise internally. As a result, many companies turn to cybersecurity consultants.
Can you prepare for a CMMC Audit by comparing cybersecurity posture to NIST SP 800-171 controls?
The facts: Beware of ads and case studies citing CMMC experience based on NIST SP 800-171 readiness assessments. Conducting NIST SP 800-171 assessments is not the same as conducting CMMC readiness assessments.
The CMMC Accreditation Body (AB) has announced that assessors should be using the most current version of the CMMC in their readiness assessments. Additionally, no company is currently authorized to provide an official Maturity Level Assessment. Authorized assessors will be designated by a Certified 3rd Party Assessor Organization (C3PAO) badge.
Do DoD Contractors need to be certified by an Accredited Assessor to bid on an RFP?
The facts: Maturity Level Certification is not required until award notice. At that time, the contracting officer will need to check SPRS to verify the awardee has the CMMC Maturity Level Certification required by the proposal. The CMMC-AB suggests contractors give themselves six months to get compliant with their desired Maturity Level. This is critical because assessors are being trained to not only look at technical controls and documentation compliance, but also at how long they have been in place. There is an emphasis on maturity in the CMMC. Companies need to show the cybersecurity practices are engrained in their operating culture.
It’s important for SMBs to identify what Maturity Level they will need and work toward compliance early.
Organizations are using the CMMC logo on their website to suggest they are already aligned with the CMMC Accreditation Body (CMMC-AB) for pre-assessment purposes, is that accurate?
The facts: While the CMMC-AB does encourage readiness assessments, the best practice for contractors is to have the work completed by an organization that is a Registered Practitioner Organization (RPO) with Registered Practitioners (RP).
As of this writing, the CMMC-AB has not approved any RPO or RP applications. Therefore, using the CMMC logo currently does not indicate any skill level or certification.
Does the DoD require CMMC certification starting in FY2021?
The facts: If you aren’t bidding on a new contract, your CMMC certification isn’t imperative. The DoD has said the highest level required by any contract in Year 1 would be ML-3. Higher maturity levels are not yet finalized. At least 15 IDIQs/GWACs are scheduled to be released in FY2021 with CMMC requirements. The DoD is very conscious and cautious of how the CMMC ecosystem will function and hopes to avoid bottlenecks.
Companies who believe they will need to be certified in 2021 should start the pre-assessment process now, allowing ample time for remediation and reassessments before their official C3PAO audit.