Cybersecurity Maturity Model Certification (CMMC) will soon be a requirement for companies that work with the Department of Defense (DoD) if they want to bid on contracts. While certification is not yet available, DoD contractors can get started ahead of time by learning CMMC requirements and preparing a strategy for long-term cybersecurity fortification. Contractors that begin assessing their own practices and identifying missteps or gaps will be ready to navigate the certification process before their competitors, and in a better position when it comes time to win DoD contracts under the new standards. Getting started on preparing for certification will help you stay ahead-of-the-curve and give you an advantage over competitors.
What is CMMC?
CMMC is a standard for implementing cybersecurity across the defense industrial base, which is made up of over 300,000 companies. The DoD released Version 1.0 in January of 2020, which was drafted with input from university-affiliated research centers and federally-funded research and development centers.
Prior to this, contractors were responsible for the security of their IT systems and all sensitive DoD information stored on or transmitted by those systems. Contractors will remain responsible for cybersecurity requirements, but CMMC imposes third-party assessments of compliance with mandatory procedures and practices designed to adapt to evolving cyber threats from negative actors. CMMC certification is mandatory for all DoD contractors.
CMMC consists of 5 levels:
Level 1: Basic cyber hygiene – This first level requires the use of antivirus software, staff training on password protection and multi-factor authentication.
Level 2: Intermediate cyber hygiene – This level introduces controlled unclassified information (CUI). The DoD defines this as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.” Organizations must document cybersecurity practices and prove compliance with NIST 800-171 r2 security requirements.
Level 3: Good cyber hygiene – For compliance with this level, organizations must have 47 security controls in place. Basic security controls are in place.
Level 4: Proactive – Level 4 requires active measurement, detection and defeat of security threats.
Level 5: Advanced/progressive – Level 5 requires 30 additional security controls. These relate to an organization’s ability to respond to an evolving threat landscape through auditing and managerial processes.
2 reasons to get started on CMMC
Though the details of CMMC compliance are still emerging, there is enough information currently available for organizations to start preparing. It’s crucial that your company can pass the certification process on first attempt, as you will be unable to offer services and/or products to the DoD for an extended period of time otherwise. The following are steps you can take now:
- Conducting a readiness assessment and gap analysis
- Implementing cybersecurity monitoring
- Developing a System Security Plan (SSP)
- Advancing/documenting your CMMC practices
-
Competitive advantage
Making sure your security program is functioning at optimal levels will put you ahead of the competition. With CMMC, companies that get in earlier will have a significant advantage over competitors. This could extend to acquisition opportunities and overall scalability. Companies that can’t get their CMMC certification in time to win a contract may have to sell to companies that are certified.
Additionally, industry-leading cybersecurity professionals will want to work with organizations that are proactive and competitive in the space. Ability to scale for new projects will attract the best talent and result in growth in the defense market. The cybersecurity space is constantly evolving along with the growing global threat landscape. With this, more organizations are constantly forming. Any advantage over the others will put a company in a better position when it comes to defense contracts.
It is possible that the COVID-19 pandemic will impact the certification process. Surges in remote work and school and the use of teleconferencing software have been creating new cybersecurity challenges. There have already been reports of increased activity regarding negative actors attempting to access classified information and exploit companies in the defense industrial base. Organizations must also assume that all DoD contracts will require certification, whether they are new or up for re-compete. With contractors set to face these problems, it’s crucial that they do not procrastinate. Getting certified as early as possible and win contracts that will safeguard important data is critical.
-
Opportunity cost
If your organization is prepared for certification once it is available, you’ll be among the first to get certified. This can translate to more opportunities for DoD contracts. There’s no reason not to begin checking the necessary boxes and making sure that when the time comes, you’re ready. That way, you won’t lose out on opportunities. A lot goes into building and running a CMMC-compliant organization. Delaying could cost you a lot in potential contracts.
According to the CMMC Accreditation Body (AB), the process should take about six month, and that up to 6,000 companies will be pursuing certification in the federal fiscal year 2021. This assumes, however, that the company is already compliant with all existing cybersecurity requirements under DFARS 252.204-7012, specifically NIST SP 800-171. If they are not, it’s likely that CMMC compliance will take even longer than six months, during which time other organizations will be developing and renewing DoD contracts to which you might have had access if you had started preparing early.
Many of the common compliance gaps take months to correct, and CMMC practices require involved implementation processes. The AB anticipates a bottleneck as companies begin to seek certification. If a company does not pass on the first try, they will have to wait before they are considered again. C3PAOs (companies that are authorized to contract to perform assessments) may be backlogged by the time you’re ready for certification, which will delay your ability to get contracts even more.
Contact us
If you’re interested in partnering with an enterprise security team, contact Status Cyber today. We work with both federal and commercial clients across all areas of cybersecurity.