Should Your Business Worry About CMMC?
The short answer is yes. If you’re a contractor working with the DoD or even as a subcontractor on DoD projects, expect these new requirements to apply to your business soon. The DoD estimates that by the end of 2021,15 contracts will include CMMC requirements, and by 2025, 479 contracts will contain CMMC clauses with nearly 50,000 certified contractors.
What Is CMMC?
This year the Department of Defense (DoD) implemented a new contractor certification standard: The Cybersecurity Maturity Model Certification (CMMC). CMMC was designed to help better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), intending to regulate and heighten cybersecurity measures and protocols across the Defense Industrial Base (DIB).
DoD contractors handle high amounts of sensitive information, and with the constant increase of security risks, the DoD has defined significant security mandates for those wanting to do business with them. Certified contractors give the DoD assurance that all contractors will meet the updated standards.
Contractors working with the DoD should already have these processes in place, but it’s now going to be verified rather than a type of honor system. Ultimately, the main goal is to help ensure the safeguarding of information by following processes and protocols designed to keep CUI confidential.
Who Will Conduct the Assessments?
Auditors will be overseen by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB). “The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.” (https://cmmcab.org/cmmc-standard/)
Can You Start The Audit Now?
The DoD is still in the process of setting up the steps to achieve certification. To date, there are only a few companies available. However, the Accrediting Body is defining its roles and responsibilities to ensure an excellent C3PAOs certification process. C3PAOs will be selected and trained to carry out assessments.
Organizations wishing to become CMMC assessors can contact their local Procurement Technical Assistance Centers (PTACs) for information on becoming an assessor. After identifying these organizations, the PTACs will help connect contractors to qualified C3PAOs, and the certification training process is ready to begin.
Is It Your Responsibility To Know If You Need CMMC?
Subcontractors will also need to demonstrate that CMMC requirements are met before working with primary contractors on DOD projects. In some situations, subcontractors won’t need the same CMMC Level as their primary contractor does. If the subcontractor is performing Level 1, that’s the CMMC Level they’ll need to reach, regardless of the direct contractors’ necessary Level. The process was created to help the CMMC implementation easier for smaller contractors to reduce the interruption to workflow.
Where To Begin Today
If your business has already been following the NIST SP 800-171 guidelines effectively, the transition should be reasonably straightforward. Level 1 certification is all about the basics of cybersecurity-which is something all businesses should be practicing whether they work with the government or not. Level 1 is composed of things you’re likely already doing. As for the specifics of Level 2 and beyond, the requirements become more rigid. We’ll have another post about the specifics of CMMC levels in a later post.
Sources
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf
https://cmmcab.org/marketplace/
https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
https://www.acquisition.gov/dfars
https://www.acq.osd.mil/cmmc/contact-us.html