With the increasing risk for cyber threats come new national regulations to help protect organizations. Recently, the U.S. Department of Defense has established a series of appropriate safeguards to protect data. This is known as the Cybersecurity Maturity Model Certification (CMMC).
What is CMMC?
The CMMC is a type of information security maturity model specific to Department of Defense third-party contractors. The program was created to ensure all aspects of the Department of Defense supply chain are secured. It builds off existing acquisition regulations like DFARS and NIST 800-171 that require contractors to protect the information with which they are entrusted.
CMMC compliance ensures that companies entering into contracts with the Department of Defense to provide goods and services have adequate safeguards in place to protect their data.
The CMMC certification addresses the protection of two types of data:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI) or Unclassified CUI
Each type of data has its own set of safeguards or security requirements. Every contractor who conducts business with the Department of Defense will soon be required to achieve the CMMC before being awarded a government contract.
The Cybersecurity Maturity Model Certification (CMMC) is a requirement for those pursuing, or actively engaged in government contracts. Compliance with this regulation is key.
How Do I Know if I Need a CMMC?
CMMC compliance is relatively new. So, it’s understandable to question whether or not you need a CMMC and how quickly you’ll need to obtain it.
As a rule, any contractor who is actively engaged with the Department of Defense or looking to pursue a contract with the Department of Defense will need to receive a CMMC. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers.
When Does the CMMC Take Effect?
The Department of Defense has begun including a requirement for CMMC in some contracts. This number will gradually increase each year until 2026. At that time, all new contracts will include a requirement for a CMMC. Once a contractor has been through the CMMC process, the certification is valid for three years and then will need to be renewed.
While 2026 may seem like a long way off, the Department of Defense is encouraging contractors to prepare now to meet these new CMMC requirements and consult with an independent, third-party assessor.
How to Get the CMMC
Traditionally, organizations that contracted with the Department of Defense were required to self-report their compliance with IT security requirements outlined in applicable acquisition regulations. However, with these new changes, the CMMC will require compliance with security requirements to be assessed and certified by an independent third party.
This means any organization that has a contract with the Department of Defense will soon be required to obtain a CMMC through the CMMC Accreditation Body (CMMC-AB).
The process for obtaining a CMMC will be done through an independent audit intended to validate compliance with standards established by the CMMC.
The CMMC compliance framework outlines a five-tiered approach based on the sensitivity of data the contractor will be granted access to through a contract with the Department of Defense. As these tiers or “maturity levels” increase, so do the requirements for the protection of data with increasing emphasis on the reliability of an organization’s cybersecurity infrastructure as well as their ability to house and protect sensitive information.
What are the CMMC Maturity Levels?
There are five levels with the CMMC framework. Where an organization lands on the maturity level matrix depends on the sensitivity of the Department of Defense information the organization will work with during its contract.
CMMC Level 1
Level 1 focuses on protecting FCI only. Organizations in this level focus on basic cyber hygiene and the performance of specific practices to meet basic safety requirements. As this is the base level of CMMC, the contractor is typically compliant without any additional training.
CMMC Level 2
Level 2 adds in documentation of practices and policies to help an organization in its CMMC efforts. Organizations in this set must focus on intermediate cyber hygiene, especially as this stage is set as a transition to level 3.
CMMC Level 3
Level 3 involves protecting CUI. Organizations must establish and maintain a cyber plan for managing activities related to CMMC and its implementation.
CMMC Level 4
Organizations in level 4 must continually review and measure their safety practices for effectiveness. They must demonstrate proactive detection and response capabilities.
CMMC Level 5
At the top level, organizations must optimize their cyber practices to protect DOD data and information. They must demonstrate sophisticated and proactive cybersecurity abilities.
Process for CMMC Compliance
The process for CMMC compliance will include the following steps:
- Determine your maturity level requirement.
- Perform a gap assessment
- Remediate identified gaps
- Engage with an assessor
- Apply for a CMMC
How Do I Know Which Maturity Level I Need to Be?
An organization that strictly handles FCI only needs to meet the criteria established within Maturity Level 1 (CMMC ML1). For those organizations that handle both FCI and CUI, they will need to meet the criteria outlined within Maturity Level 3 (CMMC ML3). It should be noted that the CMMC is cumulative. This means that when an organization has met CMMC ML3 requirements, it will also have controls in place that meet CMMC ML1.
Who Can Perform a Gap Assessment?
A gap assessment helps you measure your current level of compliance. It also assesses how effective your existing internal controls are and exposes areas where CMMC compliance is not upheld.
So who can perform a gap assessment? The simple answer is anyone. Most organizations choose to have it performed by either qualified internal staff or an external consultant. However, be aware that an incomplete or insufficient gap assessment could result in a failed audit.
For this reason, consider having your gap assessment performed by a Registered Practitioner (RP), as part of a Registered Provider Organization (RPO). These designations were established by the CMMC-AB to demonstrate that individuals and organizations are familiar with the core constructs of the CMMC standards and are authorized to provide consulting services to contractors preparing for the CMMC assessment.
Where Can I Go if I Need Assistance Addressing Gaps in My Security Practices and Processes?
Consider engaging with a Registered Practitioner (RP) and Registered Provider Organization (RPO) to assist in closing gaps and preparing for the CMMC assessment.
These designations were established by the CMMC-AB to demonstrate that individuals and organizations are familiar with the core constructs of the CMMC standards and are authorized to provide consulting services to contractors preparing for the CMMC assessment. The CMMC-AB has established a CMMC marketplace, where anyone can search and view the Credentials of authorized RPs and RPOs.
Eide Bailly is a Registered Provider Organization and can assist in closing the gaps and preparing you for your CMMC.
How to Find a Cybersecurity Maturity Model Certification Assessor
Assessors of the CMMC will have to obtain the Certified Third-Party Assessor Organization (C3PAO) accreditation from the CMMC-AB. This accreditation demonstrates the organization has been reviewed by the CMMC-AB through a rigorous process to confirm that they are able to perform assessments for those seeking the CMMC. Once an organization has achieved the C3PAO designation, it will be placed on the CMMC-AB marketplace.
Other aspects to look for in a CMMC third-party assessor include:
- Cybersecurity firms who have experience performing audits with similar security requirements to those outlined in the CMMC
- Firms with experience performing third-party audit and attestation services
- Advisors who specialize in risk advisory and cybersecurity best practices
What Do I Need to Have Prepared for a CMMC?
Organizations embarking on a CMMC assessment with a third-party organization should have the following prepared:
- Designated Maturity Level Gap Assessment or Readiness Assessment – If possible, your organization should prepare for the CMMC accreditation by conducting a gap assessment or readiness assessment to the designated maturity level requirements.
- Consider creating or updating a System Security Plan (SSP) – An SSP is a formal documentation that lays out company policies, network diagrams and relationships with other systems. Regarding the CMMC, an organization should incorporate any new changes due to CMMC requirements into the SSP as well.
- Create a plan of action for conducting the assessment – The plan of action will prepare your organization to understand the resources and timeline requirements in order to conduct the assessment.
- Ongoing compliance – An organization should ensure they are in continuous compliance with requirements outlined within their designated maturity. This should occur for at least a year before any new processes or controls are created in order to fill gaps found during gap assessment processes.
What if I Have Already Entered into a Contract with the Department of Defense?
If your organization is currently under contract with the Department of Defense, you should begin preparing to meet the designated CMMC maturity level requirements. When your contract is renewed or put out for rebid, there is a high likelihood that it will include CMMC requirements.
The Benefits of Certification
The obvious benefit of the CMMC is compliance with a new standard. This will allow you to not lose time and potential contracts. After all, the CMMC will soon be a requirement for all government contracts.
However, there are other benefits to the CMMC. For instance, it allows your company to review and reduce cyber risk by identifying gaps in your processes and procedures. It can help you improve internal controls and build out existing structures to better be prepared to prevent, detect and respond should a cyber breach occur. And it allows your organization to verify your cybersecurity requirements are working, rather than waiting until the breach occurs.
Contractors who choose to wait to become certified stand to lose valuable contracts.