Cybersecurity Maturity Model Certification (CMMC), developed by the U.S. Department of Defense (DoD), is a new requirement for existing DoD contractors that will entail third-party certification. A single standard used across all DoD contracts, CMMC is intended to ensure that appropriate cybersecurity practices and processes are in place to safeguard federal contract information (FCI) and controlled unclassified information (CUI) handled by defense contractors during the performance of DoD contracts. This certification framework builds upon existing requirements—such as NIST SP 800-171, NIST SP 800-53 and AIA NAS9933—and makes cybersecurity an “allowable cost” in DoD contracts. CMMC Version 1.0 was released in January 2020, and it is anticipated that CMMC will be included as a requirement in select Requests for Proposals (RFPs) by the end of the 2020 fiscal year (FY) in September. The DoD plans that by FY 2026, CMMC will be a requirement for all companies contracting with the DoD, including both prime contractors and subcontractors.
The CMMC framework identifies five levels of certification that require the demonstration of specific practices and processes to achieve each level, allowing contractors to select a tier appropriate for the data they handle. Future RFPs will include the required CMMC level (1-5) for the risk profile in the work entailed, and contractors will need proof of certification at the specified level in order to bid.
The five levels of certification in CMMC can be summarized in terms of their primary goals and layered manner in which each level builds on the controls included in the prior level:
The time involved for your company to prepare for CMMC will depend on the size and complexity of your cybersecurity program, whether your environment already has an active and updated security program, and the CMMC level you are trying to attain. The first step is to gather the appropriate documentation (e.g., cybersecurity policies, standards and procedures; the System Security Plan (SSP); Plans of Action and Milestones (POA&Ms)) to prove you are incorporating the required practices and processes for the CMMC level you are seeking certification in. Without these artifacts, from the perspective of an auditor, you cannot prove your cybersecurity program is in place.
Our compliance experts provide a roadmap to help your company affordably become CMMC compliant, preparing you and ensuring your cybersecurity practices are in place and documented in accordance with the framework.