By Connie Palucka, NPDP Vice President, Consulting Catalyst Connection
By 2025, the Department of Defense will require all defense contractors submitting bids on defense contracts to prove that they are certified in a basic level of cybersecurity standards.
The DoD designed the Cybersecurity Maturity Model Certification (CMMC) as a unified standard for defense contractors to address cybersecurity issues. Between 2021 and 2025, new DoD requests for proposals (RFP) will gradually begin requiring CMMC certification.
Within five years, every DoD contractor and supplier will need to be audited and certified by an approved third-party auditor. Preparing for this audit can take a company six months to two years. As such, many small and medium-sized businesses grapple with finding the proper staff and financial resources it takes to ensure they’re meeting security regulations.
Level up in cybersecurity
An organization aiming to obtain contracts for the DoD will be required to complete the CMMC certification via a third-party assessor. In order to create a unified standard for cybersecurity, a selection of controls from the National Institute of Standards and Technology will be combined, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and others.
Through CMMC, auditors can verify that required security controls, processes, and procedures are being implemented by DoD contractors, versus allowing contractors to self-certify, which was allowed with NIST 800-171. In an effort to reinforce NIST 800-171 requirements, CMMC emphasizes auditing and monitoring processes in order to detect any incidents that may occur. There are five levels of cybersecurity within CMMC that range from basic skills to advanced knowledge.
CMMC requirements from Level 1 to 5 will be specified in Sections L and M of every DoD RFP. Having proof of certification at that level will be a requirement to even submit a bid. This means that every prime and subcontractor who works for the DoD will be required to certify, at a minimum, at Level 1.
Putting a policy in place can help make the process easier if contractors wish to obtain a higher level of certification in the future.
The CMMC levels are as follows: Level 1: Basic Cyber Hygiene: implementation of 17 controls; Level 2: Intermediate Cyber Hygiene: implementation of 72 controls (includes Level 1 controls); Level 3: Good Cyber Hygiene: implementation of 130 Controls (includes Level 2 controls); Level 4: Proactive: implementation of 156 Controls (includes Level 3 controls); and Level 5: Advanced/Progressive: implementation of 171 Controls (includes Level 4 controls).
CMMC was designed to help organizations achieve continuous improvement. Each level builds on the previous one, which provides a clear path for increased capacity and maturity.
Gaining success with CMMC
Similar to any compliance initiative, the success of CMMC is determined and supported by careful planning and interpretation of CMMC requirements at an organizational level.
By paying attention to guidance provided by compliance experts, core business processes can avoid any major disruptions.
Here are five tips for improving your success rate with CMMC.
For a free Catalyst Connection CMMC eBook, visit https://go.catalystconnection.org/cmmc.
For more information on CMMC certification, call (412) 918-4259 or email firstname.lastname@example.org.