Home | Our Services
CMMC - Cyber Maturity Model Certification Audit
Government Contractors and Information Security – ‘A Look into the Future’
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) will encompass multiple capability and maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intention of CMMC is to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and are established within your Organization to protect controlled unclassified information (CUI) and Federal Contract Information (FCI).
What does this mean for DoD contractors?
This certification aims to provide better flexibility among contractors working with the DoD to meet the information security requirements relevant to the type of work they perform. It offers a path to the security requirements needed to perform work on increasingly sensitive contracts. As shown below, CMMC uses NIST SP 800-171 as the primary foundation for compliance and splits it across the first 3 levels. If you currently work with CUI, or plan to in the near future, Level 3 is the minimum requirement you must meet for access to those contracts. Levels 4 and 5 primarily source from NIST SP 800-172 and are intended for companies with significantly more sensitive information in their contracts. Identifying the CMMC level your organization should target requires diligent consideration of the information in the contracts you perform, as well as the future goals you hope to pursue. The further you progress in level the more challenging and expensive the requirements become, do not make the decision lightly! The model will require a contractor’s security environment to be assessed by a third-party auditor – ultimately providing an objective evaluation of an organizational compliance score between the five levels.
Note: *Number of controls per level will change in future revisions of CMMC model
Timelines to Consider for DoD Contractors
Once CMMC begins to appear in contracts, all DoD contractors will be obligated to meet the appropriate requirements for the contract work they intend to perform. Contracts will be awarded based upon the level of security that is deemed necessary for your organization’s contracted work – meaning if you aren’t certified at that level, you will be ineligible to win any contract with the DoD. According to the CMMC Accreditation Body, the Assessment Ecosystem Timeline is as pictured below. All DoD contractors must adhere to this timeline to bid on contracts by 2021.
Becoming Certified
The new requirement for third-party audits is of great interest in the industry today since it was previously acceptable for organizations to self-assess their security posture. An independent third party ensuring the effective implementation of the appropriate security controls is a critical requirement to ensure information and information systems are being adequately safeguarded. With Kreative’s long history of proven results in the CMMI and ISO appraisal space and understanding the importance and relevancy of maturity levels, and alignment to the auditing process, we are perfectly positioned to assist with these new changes. We are keeping a close eye on all information as it becomes available in order to stay in front of any new developments to ensure our clients are proactively well-prepared.
CMMC: Frequently Asked Questions
What are my responsibilities as a DIB contractor, specifically related to CMMC?
If you are a DIB contractor, you will need to become certified to a CMMC maturity level as required by future DoD contracts. Now is the time to identify what level will be required of your organization based on current contracts and whether or not you maintain or create any Controlled Unclassified Information (CUI). Additionally, efforts need to begin immediately to meet the associated requirements to properly demonstrate that they are implemented and adhered to fully within the organizational culture.
How is CMMC different for large and small contractors?
The difference is not focused on size as much as it is focused on the information a contractor maintains. The same requirements are applicable to any organization that maintains Controlled Unclassified Information (CUI) and/or Federal Contract Information (FCI) regardless of size. A large organization will likely have to deal with a significantly larger scope, whereas a small business may encounter issues with solutioning certain requirements being cost-prohibitive.
What should I be doing now to prepare for CMMC eventually being required of my company?
Kreative recommends taking steps ASAP to complete the following tasks:
Review current contracts to determine if you currently maintain or create any CUI
Perform a Gap assessment of your current security implementation against the CMMC requirements
Develop a plan to remediate any gap findings
Ensure proper documentation covering CMMC implementation within the organization is in place
How do I scope the assessment?
Currently there are no C3PAOs At the January 2021 CMMC Town Hall session it was mentioned that formal scoping guidance would be provided in the near future. Based on past information and what we know of the model today, there are some assumptions that can be made ahead of that more formal guidance. CMMC is largely focused on protecting two types of information, FCI and CUI. Any place the relevant FCI/CUI may land will be required in the scope for a CMMC assessment. To effectively reduce the scope of an assessment, the areas that FCI and CUI information flows must be restricted to a limited, controlled environment. In some cases, it may be advantageous for a larger prime to construct a small, controlled environment for containing CUI. They can then allow their subs access to that controlled environment in order to prevent their subcontractors from requiring a higher maturity certification that may be financially prohibitive for a small organization. Such an implementation will be up to the discretion of the prime and will likely be handled on a case by case basis however, so it should not be relied on as the only method for small organizations to achieve compliance.
How do I hire and work with a C3PAO?
Currently there are no C3PAOs available to perform assessments. When they become available, you will be able to source a C3PAO on the official CMMC AB Marketplace located on https://portal.cmmcab.org/marketplace/.
When can I get audited and is there a prioritization for certification?
Up until now provisional assessments have been performed to test and improve on the developed assessment process. Following the provisional period, a pilot program will go into effect starting in 2021 where additional assessors and C3PAOs will be brought on to further improve the process and conduct assessments. Prioritization is going to be focused on a very small handful contracts where a certification will be required at contract award for the selected organization. These Pilot contracts will be the only contracts requiring CMMC requirements up through 2026 based on current timelines, with the number of Pilot contracts expected to increase each year. By 2026 CMMC is expected to be required for all DoD contracts. If you are looking to receive a certification sooner, you will need to bid on and win one of the contracts selected to be part of the Pilot program.