The Cybersecurity Maturity Model Certification (CMMC) is a standardized set of requirements developed by the Department of Defense (DoD). Every contractor and governmental subcontractor to the DoD that stores, processes or manages Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
It was developed after analysis by the DoD showed huge inconsistencies in the implementation of cybersecurity measures; in the worst cases, some contractors were intentionally “hacking” around security measures in order to make development faster and easier.
What are the benefits of certification to the standard?
Certification to the CMMC standards is required for certain contractors and subcontractors beginning in 2020. Due to the CMMC requirement, some contractors have been constrained, leaving the door open for those who earn the certification.
Department of Defense Contract Eligibility
The Cybersecurity Model Maturity Certification is critical for those working in defense contracting. Any contractor who fails to demonstrate CMMC Compliance can’t win new contracts. Contractors are required to meet CMMC Compliance beginning at Level One through Level Five.
Typically, contracts handling “Secret” information will need to meet Level Three or higher. Contractors handling “Top Secret” information will need to meet Level Four in most cases. Finally, contractors handling extremely sensitive information at higher clearance levels (those that use SCIFs) will need to have the highest, Level Five certification.
Keep in mind that both practices and processes must be at the same level. If a company’s practices or processes are inconsistent with one another, the lower level will be awarded to the company.
One of the major security holes the DoD consistently faced, was that subcontractors did not adhere to reasonable security standards. Under the CMMC requirements, the Prime contractor’s level is the one that is mainly considered.
However, non-prime contractors must also meet these CMMC requirements. Depending on the types of data that the contractor can access, their level requirement could differ from that of the Prime contractor. Regardless of the required level for the Prime contractor, under CMMC, every sub-contractor must at minimum obtain a Level One certification to be able to even work in the industry.
CMMC Certification helps with the following:
- Lower the risk of employees illegally transmitting or stealing sensitive/classified information.
- Comply with both voluntary and mandatory security standards set forth by high-profile governmental agencies and NGOs.
- Depending on the CMMC Level, have the ability to reliably hold off Advanced Persistent Threats (APTs) as well as simple attacks of opportunity.
- Reduce the overall operating costs by reducing the risk of threats. Attempts that aren’t thwarted may end up costing the company tens of millions of dollars.
- Win more work over time and become a more trusted and well-known contractor to the DoD.
Possible Impacts of CMMC
To determine the impact CMMC has on your business, you will first need to look at your data inputs. If you use controlled but not classified information, a Level One certification might be all that’s necessary. If you don’t meet Level One requirements, you risk losing crucial business.
The DoD allows companies to be temporarily certified at CMMC Level Two. At Level Two, a company is maxing out what it can do on a basic level but is still not hitting the advanced level of capabilities, processes, and practices that the DoD expects. Though, there is a rule pertaining to when a company must move forward, any company stuck on Level Two should be prepared to lose contracts if it doesn’t quickly advance at a minimum to Level Three. Remember, there are plenty of contractors already at Level Three, so Level Two is not necessarily a competitive advantage.
Lastly, recall that all CMMC levels are subject to random auditing by agencies such as NIST. They also require that you have documented in-house auditing procedures. This can be done via utilizing an outside agency. If this is not done, your may lose your contracts.
Obtaining CMMC Certification
Whether you’re a small contracting startup or a mega-corporation, you will need to obtain CMMC certification if you intend on continuing or starting any DoD contracts. All certifications must be independently assessed by an Accredited CMMC Third Party Assessment Organization (C3PAO). Certification can take months to fully process, as it takes internal and external security professionals to fully verify that you’re in compliance with all domains, practices, and standards that are in place.
Consulting with the right professionals like TrustNet, can help you obtain the required CMMC certification needed. Reach out today to learn more.