CMMC is designed to protect two specific kinds of information:
CMMC outlines procedures businesses must take to protect FCI and CUI if they intend to work with the DoDor any other federal agencies that adopt these standards.
Past cybersecurity standards, including NIST 800-171 and FAR 52.204–21, have only required self-assessments with companies required to maintain a Security System Process Plan, SSP and a Plan of Actions & Milestones (POA&M), but without federal auditors to ensure the standards had been enacted. This created a disadvantage for compliant businesses who dedicated resources to meet these standards but were bidding against other companies who have claimed to have security initiatives in place but have never had to demonstrate proof. It also left vulnerabilities in the effort to protect CUI.
After CMMC goes into effect in Fall 2020, all businesses contracting with the DoD will be required to have certification to a certain level depending on the nature of their contract. Level 1 is equivalent to FAR 52.204–21, so businesses who have already achieved this standard independently will have a head start on those just beginning the process.
Most non-prime businesses will need to meet Level 3 standards, which includes all 110 NIST controls, plus an additional 20 controls specific to CMMC. Implementing these controls will take a concerted effort by any business required to demonstrate compliance. However, CMMC certification will offer significant competitive advantages to business by only allowing certified organizations to bid and accept government contracts that involve CUI.
Many businesses are facing pressure to adapt these measures and achieve certification quickly. However, the certification process is, in many cases, more involved than these businesses expect. In order to approach the process productively, there are several expectations businesses should have about what is required of them.
1. The process to achieve CMMC can take up to twelve months… or more.
Businesses cannot meet CMMC standards overnight. In fact, it could reasonably take most businesses at least a full year to be qualified for certification. With the standard starting to roll out in late 2020, many are already behind the ball. If your business plans to bid on DoD contracts in the upcoming year, it is imperative that you begin working towards satisfying the requirements as soon as possible.
2. Achieving CMMC will require active participation by the company.
Many companies expect to be able to hire an outside contractor to bring their systems up to CMMC standards for them, which is not a realistic understanding of what all is required to be compliant. The active participation of the company and implementation of standards, processes, and procedures is required to achieve, and maintain, compliance.
At PC Miracles, we work closely with our clients, explaining the full CMMC process, walking through their infrastructure, looking at the technical controls, and reviewing the policies that demonstrate how the control is being enacted. We can assist in moving the process forward, but the client is responsible for implementing its new cybersecurity policies.
3. CMMC is awarded on a pass/fail basis.
In the past, it was considered sufficient for businesses to present a System Security Plan (SSP) and a POA&M (Plan of Action and Milestones) in order to be qualified to accept DoD contracts. A business only needed to document their intent and plan to meet requirements. CMMC is a step beyond this by requiring a business to be certified that it has already met them. CMMC is awarded on a purely pass/fail basis.
4. Maintaining CMMC standards is an ongoing process.
Companies are often under the mistaken impression that meeting CMMC requirements can be left to the IT department. However, practicing cybersecurity hygiene is a more holistic process which must incorporate multiple departments from HR to Operations. Employees must be trained in the appropriate procedures and new workflows must be designed to ensure the controls are followed.
Seeing this process through requires a “compliance manager” who can work on maintaining CMMC requirements. Some standards require continuous monitoring, review, tasks and documentation. Also, cybersecurity threats and standards are constantly evolving. Businesses who pass these standards will be certified for three years, but without an individual monitoring and maintaining compliance requirements, an organization is likely to fail future audits.
If you are ready to prepare your business for Cybersecurity Maturity Model Certification, we can help. We have experts on our team who can work with your business and your CMMC compliance manager to guide you towards satisfying all requirements that will need to be met to earn your certification.