Home | Our Services
For More Information On Kreative's Services:
CMMC - Cyber Maturity Model Certification Audit
Government Contractors and Information Security – ‘A Look into the Future’
MORE ON SECURITY COMPLIANCE:
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) will encompass multiple capability and maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intention of CMMC is to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and are established within your Organization to protect controlled unclassified information (CUI) and Federal Contract Information (FCI).
What does this mean for DoD contractors?
This certification aims to provide better flexibility among contractors working with the DoD to meet the information security requirements relevant to the type of work they perform. It offers a path to the security requirements needed to perform work on increasingly sensitive contracts. As shown below, CMMC uses NIST SP 800-171 as the primary foundation for compliance and splits it across the first 3 levels. If you currently work with CUI, or plan to in the near future, Level 3 is the minimum requirement you must meet for access to those contracts. Levels 4 and 5 primarily source from NIST SP 800-172 and are intended for companies with significantly more sensitive information in their contracts. Identifying the CMMC level your organization should target requires diligent consideration of the information in the contracts you perform, as well as the future goals you hope to pursue. The further you progress in level the more challenging and expensive the requirements become, do not make the decision lightly! The model will require a contractor’s security environment to be assessed by a third-party auditor – ultimately providing an objective evaluation of an organizational compliance score between the five levels.
Note: *Number of controls per level will change in future revisions of CMMC model
Timelines to Consider for DoD Contractors
Once CMMC starts showing up in contracts, all DoD contractors will be required to meet the appropriate requirements for the contract work they intend to perform. Contracts will be awarded based upon the level of security that is deemed required for the work to be performed for that specific contract task, meaning if you aren’t certified at that level, you can’t win the contract!
- Right Now: With version 1.0 of CMMC officially published, now is the time for contractors to perform assessments of their security implementation to see how they compare to the requirements of the model. From there plans can be made to close any identified gaps before the upcoming audits.
- 2020 – June: In June 2020 the CMMC requirements will be in Requests for Information (RFI’s).
- 2020 and Beyond: In late 2020 DoD contractors will need to be certified to bid on Requests for Proposal (RFP’s).
The new requirement for third-party audits is of great interest in the industry today since it was previously acceptable for organizations to self-assess their security posture. An independent third party ensuring the effective implementation of the appropriate security controls is a critical requirement to ensure information and information systems are being adequately safeguarded. With Kreative’s long history of proven results in the CMMI and ISO appraisal space and understanding the importance and relevancy of maturity levels, and alignment to the auditing process, we are perfectly positioned to assist with these new changes. We are keeping a close eye on all information as it becomes available in order to stay in front of any new developments to ensure our clients are proactively well-prepared.