The Cybersecurity Maturity Model Certification (CMMC) will encompass multiple capability and maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intention of CMMC is to serve as a verification mechanism. The standard exists to ensure that appropriate levels of cybersecurity controls and processes are adequate and are established within your organization to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
This certification aims to provide better flexibility among contractors working with the DoD to meet the information security requirements relevant to the type of work they perform. It offers a path to the security requirements needed to perform work on increasingly sensitive contracts. As shown below, CMMC uses NIST SP 800-171 as the primary foundation for compliance and splits it across the first 3 levels. If you currently work with CUI, or plan to in the near future, Level 3 is the minimum requirement you must meet for access to those contracts. Levels 4 and 5 primarily source from NIST SP 800-172 and are intended for companies with significantly more sensitive information in their contracts. Identifying the CMMC level your organization should target requires diligent consideration of the information in the contracts you perform, as well as the future goals you hope to pursue. The further you progress through the levels the more challenging and expensive the requirements become. Do not make your decision lightly! The model will require a contractor’s security environment to be assessed by a third-party auditor – ultimately providing an objective evaluation of an organizational compliance score between the five levels.
Once CMMC begins to appear in contracts, all DoD contractors will be obligated to meet the appropriate requirements for the contract work they intend to perform. Contracts will be awarded based upon the level of security that is deemed necessary for your organization’s contracted work – meaning if you aren’t certified at that level, you will be ineligible to win any contract with the DoD. According to the CMMC Accreditation Body, the Assessment Ecosystem Timeline is as pictured below. All DoD contractors must adhere to this timeline to bid on contracts by 2021.
The new requirement for third-party audits is of great interest in the industry today, considering it was previously acceptable for organizations to self-assess their security posture. An independent third party ensuring the effective implementation of the appropriate security controls is a critical requirement to ensure information and information systems are being adequately safeguarded. With Kreative’s long history of proven results in the CMMI and ISO appraisal space, our understanding of the importance and relevancy of maturity levels, and our alignment to the auditing process, we are perfectly positioned to assist with these new changes. We are keeping a close eye on all information as it becomes available in order to stay in front of any new developments, ensuring our clients are proactively prepared.
If you are a DIB contractor, you will need to become certified to a CMMC maturity level as required by future DoD contracts. Now is the time to identify what level will be required of your organization based on current contracts and whether or not you maintain or create any Controlled Unclassified Information (CUI). Additionally, efforts need to begin immediately to meet the associated requirements to properly demonstrate that they are implemented and adhered to fully within the organizational culture.
The difference is not focused on size as much as it is focused on the information a contractor maintains. The same requirements are applicable to any organization that maintains Controlled Unclassified Information (CUI) and/or Federal Contract Information (FCI) regardless of size. A large organization will likely have to deal with a significantly larger scope, whereas a small business may encounter issues with solutioning certain requirements being cost-prohibitive.
Kreative recommends taking steps ASAP to complete the following tasks:
Review current contracts to determine if you currently maintain or create any CUI
Perform a Gap assessment of your current security implementation against the CMMC requirements
Review current contracts to determine if you currently maintain or create any CUI
Ensure proper documentation covering CMMC implementation within the organization is in place
Currently there are no C3PAOs available to perform assessments. When they become available, you will be able to source a C3PAO on the official CMMC AB Marketplace located on https://portal.cmmcab.org/marketplace/.
Up until now provisional assessments have been performed to test and improve on the developed assessment process. Following the provisional period, a pilot program will go into effect starting in 2021 where additional assessors and C3PAOs will be brought on to further improve the process and conduct assessments. Prioritization is going to be focused on a very small handful contracts where a certification will be required at contract award for the selected organization. These Pilot contracts will be the only contracts requiring CMMC requirements up through 2026 based on current timelines, with the number of Pilot contracts expected to increase each year. By 2026 CMMC is expected to be required for all DoD contracts. If you are looking to receive a certification sooner, you will need to bid on and win one of the contracts selected to be part of the Pilot program.