If your company is not taking cybersecurity seriously you could be locking yourself out of government contracts. In 2020, The US Department of Defense introduced the Cybersecurity Maturity Model Certification (CMMC). CMMC established a framework to assess DoD contractors for cybersecurity compliance before they qualify for government contracts.
What is a Maturity Model?
A maturity model refers to a progressive scale of compliance towards a spectrum of cybersecurity standards. Once a business is certified to a specific level of cybersecurity compliance, they are expected to maintain that level while working on contracts that require certification.
What are the CMMC Levels?
Some level of certification will be required for all DoD contracts by 2026. Contractors will start seeing CMMC requirements in RFBs as early as the fall of 2021.
CMMC consists of 5 levels of cybersecurity sophistication ranging from basic to advanced.
Level 1: Basic Preformed Cybersecurity
Level 2: Documented Intermediate Cybersecurity Hygiene
Level 3: Managed Good Cybersecurity Hygiene
Level 4: Reviewed and Proactive
Level 5: Optimized, Proactive and Advanced
To achieve each level certification, businesses must demonstrate that they meet a specific set of processes, practices, and goals appropriate for that level.
The DoD recognizes that not all contracts require the same level of certification. It is expected that contracts will be available for a range of certifications along the entire maturity spectrum. Some contracts may only require a level one certification, while others may require a level four or five. The necessary level of CMMC certification will be determined by the type of information contractors will access to complete the contract and specified in the RFB. Unfortunately, many businesses will learn that the difference between CMMC certification levels are not as far apart as one might hope. CMMC certification will be a high hurdle for most private small and medium-sized business owners.
What Information Does CMMC protect?
The primary goal for the CMMC framework is to protect two types of information, Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
CUI is a category of information that is not classified but requires protection, such as medical, personnel, legal, and financial information, and more. A complete list of CUI can be found at: https://www.archives.gov/cui/registry/category-list
FCI is information provided by or generated by the government under a contract to develop or deliver a product or service.
The purpose of safeguarding this information is to protect the DoD supply chain, for which the DoD relies heavily on private business contractors.
Does My Business Need to Be CMMC Certified?
CMMC applies to any contractor who engages directly with the DoD. It also applies to all subcontractors who work with direct DoD contractors to fulfill DoD contracts. This means every business that participates in a DoD contract must be CMMC certified. It does not matter to what extent, in-depth, or short-term your business is involved in a DoD contract. If your business is working directly or indirectly with the DoD, you must obtain some level of CMMC certification.
One of the most significant changes that occurred under CMMC was a shift from self-assessment to a third-party assessment for certification. Under the NIST guidelines contractors were able to determine their compliance for DoD contract bidding through a self-assessment. This is no longer allowed under CMMC.
As more becomes known about CMMC certification standards at each level, businesses are becoming aware of how high the DoD is setting the cybersecurity bar. Businesses who mix DoD contract work with commercial business will find complying with CMMC difficult. Every business will need to make operational changes to comply with CMMC standards.
Additionally, NIST compliance will not guarantee CMMC compliance. CMMC expands security requirements and adds 20 new requirements beyond current guidelines. Ultimately, CMMC will weed out cybersecurity risks posed by outside DoD contractors by declining CMMC and NIST noncompliance to zero.
How Does My Business Become CMMC Compliant?
Compliance with CMMC and NIST is a non-negotiable requirement for working with the DoD going forward. Compliance is confirmed through a third-party assessment and certification process. Contractors will be responsible for obtaining, maintaining, and demonstrating their certification and continued compliance when bidding on DoD contracts. The DoD plans to have a centralized recourse for contractors to retain an accredited assessor. The first assessors are currently in training. However, getting certified is the last step in the process. After all, if you owned a restaurant, you would not wait until after a health inspection to clean your kitchen.
The CMMC certification is an affirmation that your business is actively operating responsible cybersecurity processes. Audits will require documentation to prove your business has complied for 6 months, which means businesses need to start working toward documented compliance now. This can seem overwhelming. IntelliSystems has created a CMMC preparedness service to help businesses meet CMMC requirements for certification.
IntelliSystems CMMC Preparedness
The IntelliSystems CMMC Preparedness process begins with is an initial assessment. Our engineers measure a business’ current cybersecurity environment and weights it against CMMC and NIST requirements for the level of certification they most likely will need. This preliminary assessment is conducted by our in-house cybersecurity engineers working with your internal staff. Together, we help identify and remediate CMMC and NIST non-compliance before businesses face an auditor. We work with your team to lay out an action plan to remediate your cybersecurity risks, establish operating processes, procedures, and documentation needed to achieve CMMC certification.
Failure to take cybersecurity seriously now will leave your business out of important and profitable government contracts in the future.
Social Media Share buttons