WHAT YOU NEED TO KNOW
CMMC Qualifications & Compliance
The Cybersecurity Maturity Model Certification (CMMC) came onto the IT security stage in January of 2020, introducing new standards of accountability and security. CMMC is built upon pre-existing standards like the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks.
Unlike DFARS, however, CMMC is strictly enforced and requires every defense contractor and subcontractor to be audited and certified by a third-party auditor (3PAO). Holding the CMMC will enable you to bid and hopefully win DOD contracts, but without the certification, you will either be ineligible or forfeit part of a contract award!
CMMC is broken into five maturity levels. If you even remotely met the standards set forth in DFARS or NIST 800-171, you should easily meet the procedural and process requirements of Level 1. However, meeting higher-level requirements may be challenging depending on your organizational maturity.
The first step to getting your CMMC is knowing exactly how CMMC will affect your organization.
If you currently hold a DOD contract or are planning to bid a contract (and win), you’ll need your CMMC. “But my company is only supplying snacks for vending machines!” You still need a CMMC. It applies to every direct contractor and all subcontractors to that firm. There are over 300,000 companies that make up the Defense Industrial Base (DIB), and all 300,000 will need to hold a minimum of Level 1 CMMC.
Before hiring an outside C3PAO, you should do a self-assessment to determine if you are meeting Level 1. Level 1 consists of 17 controls and parallels the DFAR 52.204-21 requirements, which all federal contractors must meet. It represents basic cyber hygiene and the minimum standards any contractor should have already deployed. While Emeritus is not a C3PAO, we provide services to assess against the stated controls.
Simply put, it’s good for the industry. The DoD needed a streamlined way to assess and enhance the cybersecurity posture of its contractors and subcontractors in the DIB. The CMMC is intended to serve as a verification mechanism, ensuring appropriate levels of cybersecurity practices and processes are in place. Furthermore, CMMC ensures basic cyber hygiene and protects CUI that resides on the Department’s industry partners’ networks.
As a DoD supplier, you most likely hold or create government data like Federal Contract Information (FCI). There is a good chance you hold CUI too. If you store, process, or transmit CUI, you will need at least Level 3 certification. Also, if you hold or export controlled (i.e. ITAR) data, that is considered CUI and it will be subject to at least Level 3 requirements as well as additional ITAR-related data sovereignty rules.
It does not replace DFARS or NIST 800-171. CMMC builds upon these standards by clarifying some controls and adding additional requirements around practices and process.
No. CMMC version 1.0 states that contractors can choose to “achieve a specific CMMC level for its entire enterprise network or for particular segment(s), or enclave(s), depending on where the information to be protected is handled and stored.” This is important because minimizing the systems that store, process, or transmit CUI data minimizes your attack surfaces and lowers compliance costs. For example, do you have a cloud-based CRM? If you don’t put any government data in the system, you might be able to exclude it from your boundary.
Organizations are not allowed to self-certify. However, each organization is encouraged to perform risks assessment in preparation for audits. You will need to hire a C3PAO, which the CMMC Accreditation Body (AB) will accredit to perform the audit. You can find a registered C3PAO in the CMMC-AB Marketplace.
This takes time – months even. If you are starting from scratch, you should plan for at least six months to become compliant. Writing policies, deploying solutions, and instituting the necessary culture changes are all efforts that take time. Finally, if you do not have a compliance expert on staff, Emeritus registered practioners can help.
The cost of certification will vary. Factors like the number of systems, organizational cyber maturity, self-assessment results, and audit evidence all have an effect on cost. However, DOD guidelines state that whatever the cost of certification, it is reimbursable and considered an allowable expense.
Give Emeritus a Call
Ready or not, it’s time to get started on the road to CMMC compliance.
If you still have questions, additional frequently asked questions are available on the CMMC website.
CMMC Approves Emeritus as a Registered Provider Organization (RPO)
Emeritus, is a certified RPO. This achievement officially marks the entry of Emeritus into the CMMC ecosystem and is part of the firm’s ongoing expansion of offerings to defense contractors and clients seeking assistance with CMMC. We are ready to assist our customers in their preparation efforts to become CMMC Certified and contribute to the protection of the Defense Supply Chain.
The Cybersecurity Maturity Model Certification (CMMC) provides a set of mandatory cybersecurity requirements across the Defense Industrial Base (DIB) and Defense Supply Chain (DSC). Contractors must meet the appropriate level of certification for their organization to handle Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and to be awarded DoD contracts.
According to the CMMC-AB, RPOs are qualified as:
- Aware: Employs staff trained in basic CMMC methodology.
- Registered Practitioner Staffed: Offers non-certified consultative services.
- Targeted: CMMC Assessment preparation.
- Trusted: Bound by a professional code of conduct.
Meeting each of the above qualifications, Emeritus has officially become part of the CMMC ecosystem by the CMMC-AB granting this status, and continues to deliver cybersecurity solutions and services, helping organizations meet CMMC & NIST SP 800-171 requirements.