WHAT YOU NEED TO KNOW
CMMC Qualifications & Compliance
The Cybersecurity Maturity Model Certification (CMMC) came onto the IT security stage in January of 2020, introducing new standards of accountability and security. CMMC is built upon pre-existing standards like the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks.
Unlike DFARS, however, CMMC is strictly enforced and requires every defense contractor and subcontractor to be audited and certified by a third-party auditor (3PAO). Holding the CMMC will enable you to bid and hopefully win DOD contracts, but without the certification, you will either be ineligible or forfeit part of a contract award!
CMMC is broken into five maturity levels. If you even remotely met the standards set forth in DFARS or NIST 800-171, you should easily meet the procedural and process requirements of Level 1. However, meeting higher-level requirements may be challenging depending on your organizational maturity.
The first step to getting your CMMC is knowing exactly how CMMC will affect your organization.
If you currently hold a DOD contract or are planning to bid a contract (and win), you’ll need your CMMC. “But my company is only supplying snacks for vending machines!” You still need a CMMC. It applies to every direct contractor and all subcontractors to that firm. There are over 300,000 companies that make up the Defense Industrial Base (DIB), and all 300,000 will need to hold a minimum of Level 1 CMMC.
Before hiring an outside C3PAO, you should do a self-assessment to determine if you are meeting Level 1. Level 1 consists of 17 controls and parallels the DFAR 52.204-21 requirements, which all federal contractors must meet. It represents basic cyber hygiene and the minimum standards any contractor should have already deployed. While Emeritus is not a C3PAO, we provide services to assess against the stated controls.
Simply put, it’s good for the industry. The DoD needed a streamlined way to assess and enhance the cybersecurity posture of its contractors and subcontractors in the DIB. The CMMC is intended to serve as a verification mechanism, ensuring appropriate levels of cybersecurity practices and processes are in place. Furthermore, CMMC ensures basic cyber hygiene and protects CUI that resides on the Department’s industry partners’ networks.
As a DoD supplier, you most likely hold or create government data like Federal Contract Information (FCI). There is a good chance you hold CUI too. If you store, process, or transmit CUI, you will need at least Level 3 certification. Also, if you hold or export controlled (i.e. ITAR) data, that is considered CUI and it will be subject to at least Level 3 requirements as well as additional ITAR-related data sovereignty rules.
It does not replace DFARS or NIST 800-171. CMMC builds upon these standards by clarifying some controls and adding additional requirements around practices and process.
No. CMMC version 1.0 states that contractors can choose to “achieve a specific CMMC level for its entire enterprise network or for particular segment(s), or enclave(s), depending on where the information to be protected is handled and stored.” This is important because minimizing the systems that store, process, or transmit CUI data minimizes your attack surfaces and lowers compliance costs. For example, do you have a cloud-based CRM? If you don’t put any government data in the system, you might be able to exclude it from your boundary.
Organizations are not allowed to self-certify. However, each organization is encouraged to perform risks assessment in preparation for audits. You will need to hire a C3PAO, which the CMMC Accreditation Body (AB) will accredit to perform the audit. You can find a registered C3PAO in the CMMC-AB Marketplace.
This takes time – months even. If you are starting from scratch, you should plan for at least six months to become compliant. Writing policies, deploying solutions, and instituting the necessary culture changes are all efforts that take time. Finally, if you do not have a compliance expert on staff, Emeritus registered practioners can help.
The cost of certification will vary. Factors like the number of systems, organizational cyber maturity, self-assessment results, and audit evidence all have an effect on cost. However, DOD guidelines state that whatever the cost of certification, it is reimbursable and considered an allowable expense.
What next?
Give Emeritus a Call
Ready or not, it’s time to get started on the road to CMMC compliance.
If you still have questions, additional frequently asked questions are available on the CMMC website.
CMMC Approves Emeritus as a Registered Provider Organization (RPO)