Home | Our Services
CMMC - Cyber Maturity Model Certification Audit
Government Contractors and Information Security – ‘A Look into the Future’
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) will encompass multiple capability and maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intention of CMMC is to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and are established within your Organization to protect controlled unclassified information (CUI) and Federal Contract Information (FCI).
What does this mean for DoD contractors?
This certification aims to provide better flexibility among contractors working with the DoD to meet the information security requirements relevant to the type of work they perform. It offers a path to the security requirements needed to perform work on increasingly sensitive contracts. As shown below, CMMC uses NIST SP 800-171 as the primary foundation for compliance and splits it across the first 3 levels. If you currently work with CUI, or plan to in the near future, Level 3 is the minimum requirement you must meet for access to those contracts. Levels 4 and 5 primarily source from NIST SP 800-172 and are intended for companies with significantly more sensitive information in their contracts. Identifying the CMMC level your organization should target requires diligent consideration of the information in the contracts you perform, as well as the future goals you hope to pursue. The further you progress in level the more challenging and expensive the requirements become, do not make the decision lightly! The model will require a contractor’s security environment to be assessed by a third-party auditor – ultimately providing an objective evaluation of an organizational compliance score between the five levels.
Note: *Number of controls per level will change in future revisions of CMMC model
Timelines to Consider for DoD Contractors
Once CMMC begins to appear in contracts, all DoD contractors will be obligated to meet the appropriate requirements for the contract work they intend to perform. Contracts will be awarded based upon the level of security that is deemed necessary for your organization’s contracted work – meaning if you aren’t certified at that level, you will be ineligible to win any contract with the DoD. According to the CMMC Accreditation Body, the Assessment Ecosystem Timeline is as pictured below. All DoD contractors must adhere to this timeline to bid on contracts by 2021.
Becoming Certified
The new requirement for third-party audits is of great interest in the industry today since it was previously acceptable for organizations to self-assess their security posture. An independent third party ensuring the effective implementation of the appropriate security controls is a critical requirement to ensure information and information systems are being adequately safeguarded. With Kreative’s long history of proven results in the CMMI and ISO appraisal space and understanding the importance and relevancy of maturity levels, and alignment to the auditing process, we are perfectly positioned to assist with these new changes. We are keeping a close eye on all information as it becomes available in order to stay in front of any new developments to ensure our clients are proactively well-prepared.