Understanding and Preparing for the CMMC
What is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity standard that will be utilized on all future Department of Defense (DoD) acquisitions to regulate the Defense Industrial Base (DIB). The model requires any prime contractor or subcontractor, and their supply chain, to exhibit a certain level of cybersecurity compliance for a given contract. The existing FAR 52.204-21 and DFARS Cyber Regulations (DFARS 252.204-7012) requirements, along with NIST 800-171, are the basis for the CMMC.
Source: OUSD A&S: CMMC Model v1.02
Protecting Controlled Unclassified Information (CUI) is the main goal of the CMMC. According to the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S), CUI is defined as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government. The DoD is requiring the DIB to enhance their cybersecurity posture to reduce the loss of CUI and, in turn, reduce the risk to national security.
The CMMC will serve as a verification mechanism, departing from the DoD practice of self-verification of cybersecurity requirements, and requires certified third-party assessor organizations (C3PAO) to assess an organization’s adherence. C3PAOs are certified to provide official CMMC assessments by the CMMC Accreditation Body (CMMC-AB). After the C3PAO performs the official assessment, their assessment is sent to the CMMC-AB, who provides the organization with certification based on the assessment findings.
The CMMC-AB has not yet certified any C3PAOs or Certified Assessors as the training is still being developed. No third-party organization has been certified to provide official CMMC assessments, or any official certification at this time.
The CMMC Model
The CMMC is broken down into five (5) levels of certification, with level one (1) requiring basic cyber hygiene and level five (5) requiring the most mature and secure environment. All contractors within the DoD supply chain will be required to achieve at least level one (1) CMMC compliance in order to bid on defense contracts.
Source: OUSD A&S: CMMC Model v1.02
The model encompasses 17 Capability Domains, such as Access Control (AC), Audit and Accountability (AU), and System and Information Integrity (SI) to name a few. Within each domain, there are processes and practices that span a subset of the five (5) levels. As the CMMC levels progress to a more advanced and progressive cybersecurity posture, additional processes and practices added.
Source: OUSD A&S: CMMC Model v1.02
How Can You Prepare?
Any of the over 300,000 organizations that will be seeking CMMC certification will undoubtedly need to be prepared for their official assessment prior to soliciting the services of a C3PAO. Being adequately prepared for the official assessment can help save costs down the line and will help to streamline the certification process so your organization does not get left behind in the bidding process on new contracts.
Source: unsplash.com/photos/cckf4TsHAuw
The best way for an organization to prepare for their official CMMC assessment is through a comprehensive readiness analysis of the organization’s unique computing environment against the CMMC processes and practices. By doing so, an organization can identify gaps in their environment against the CMMC, develop plans to remediate the gaps, and invest time and resources into going through with the remediation plans. Taking these steps early will make certain that the organization is as prepared as they can be going into the official assessment from a C3PAO and ensure there are no bumps on the road to achieving certification.
Don’t Wait!
The CMMC is on its way and it is approaching fast! Information from the CMMC-AB Board of Directors suggests that organizations will need to be CMMC compliant as early as Q1 of 2021. Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, stated on a recent webinar: “Do not wait, get ready. […] If a Prime states that a subcontractor should not worry about it [CMMC] until 2022, your prime is not bidding on anything until 2022.” The CMMC-AB also suggests that organizations seeking certification need to start preparing at least six (6) months in advance.
Source: CMMCAB.org/osc-lp
Our Solution
GlobalSecurityIQ’s CMMC Readiness Solution will evaluate your compliance against your organization’s desired CMMC level. Our highly experienced team of cybersecurity professionals all hold industry leading credentials and have conducted numerous cybersecurity assessments against several unique frameworks, such as NIST 800-171, NIST CSF, HIPAA, NYS DFS, and PCI DSS.
We will comprehensively analyze your unique computing environment and identify all gaps against the CMMC processes and practices at your organization’s desired level. With each of the identified gaps, we will provide your organization with recommendations on how to remediate them in the most secure way possible. After following our recommendations on how to remediate, your organization will be in the best shape possible going into your official CMMC assessment.
Contact GlobalSecurityIQ today to get your organization prepared for the CMMC! We can be reached via email at Info@GlobalSecurityIQ.com and via phone at (716) 475-9455.