Cybersecurity Maturity Model Certification (CMMC) Preparation

A high-level understanding and navigation of the complexity around the Cybersecurity Maturity Model Certification (CMMC).

First DFARS and now the CMMC!!

If your business depends on Department of Defense (DoD) contracts, then you are already aware of their Defense Acquisition Federal Regulation Supplement (DFARS) mandate published in 2015 requiring DoD contractors to adopt the cybersecurity standards outlined in NIST’s SP 800-171 cybersecurity framework. Because the failed, somewhat self regulated, honor system which was incentivized with a competitive advantage in winning contracts, the slow adoption rate and false claims of compliance, the Department of Defense released the Cybersecurity Maturity Model Certification (CMMC) model.

I am sure this poses many questions you are already asking yourself like:
  • What is the CMMC?
  • What do we know about it?
  • What can contractors expect as this pushed out?
  • How and when can I get certified?

What is the CMMC?

The CMMC model will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”

The intended destination for the CMMC model combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

What do we know about it?

The DOD is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).

The CMMC will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified Information (CUI) that resides on the Department’s industry partners’ (Contractors) networks.

What can DOD contractors expect as this is pushed out?

DoD contractors will have to become CMMC certified by passing an audit performed by a DoD accredited auditor. Contractors will have to meet the appropriate level of cybersecurity for their business. This will become the requirement for anyone who wants to hold contracts with the Department of Defense or work as a subcontractor on DoD related projects.

How and when can I get certified?

Beginning June-September 2020, the DoD will be sending out certified third-party assessor organizations to conduct audits on contractors information systems to verify that they have met the appropriate level of cybersecurity controls.

Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level (1-5) upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

FREE CONSULTATION

855-476-6347
Contact Us

CMMC Levels

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. Here’s what we currently know about the CMMC levels and their respective requirements:

  • Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
  • Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
  • Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14 new “Other” controls.
  • Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls
  • Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11 new  “Other” controls

Note: This information is based on Version 0.7 of the CMMC model. The number of controls per level could change in future revisions of the CMMC model. We will update this document as official updates are released. For more information, a full list of frequently asked questions can be found here.

Important Dates and Milestones for DoD Contractors

What level of the CMMC will I need to get certified?

This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. The entire point of CMMC is to make it more feasible for small to mid-sized business to become compliant while ensuring that any sensitive information or CUI your organization handles remains safe. This means that most companies will fall under Level 1 or Level 2 (which will map 64 controls from 800-171), while prime contractors can expect to become Level 3 certified (which will map all 110 controls from 800-171). Level 4 and 5 (which will map additional controls found in 800-171revB) are going to typically be required of the large primes like Lockheed Martin and Northrop Grumman.

What should I do to prepare for an audit?

  • For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC audit successfully up to CMMC Level 3.
  • For DoD contractors who have not implemented the NIST SP 800-171 Rev1 or RevB controls, the following options are available to prepare for a CMMC audit.

Although the DoD contractor is ultimately responsible for ensuring their company meets the cybersecurity requirements, many DoD contractors that don’t have the resources or IT staff available to ensure compliance, they choose to outsource the task to a Managed Security Service Provider (MSSP) that understands the complexity around the CMMC.

What should I do right now?

Regardless if you choose to keep this in house or outsource, you will need to know how close or how far away from meeting any of the five levels of the CMMC your business is. The most effective way to accomplish this is to have a third-party perform a gap assessment to discover inadequate system setups and processes that may not meet all of the required controls.

Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements. The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.

Simpatico Systems understands the urgency around obtaining compliance. Also the complexity around navigating NIST compliance and the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems and ensure a successful audit and certification.

If you would like to speak with someone about preparing for a CMMC audit, give us a call at (806) 224-0300 to schedule a free consultation.