Are You Ready for CMMC?

Are You Ready for CMMC?

The defense contracting and manufacturing community is currently hyper-focused on a new set of technology requirements that are rolling out, vying for Department of Defense contracts, and aiming to be ready to bid before competitors.

Adversaries of the United States are already aware of the defense contracting infrastructure, recognizing that defense contractors have access to immense volumes of confidential and sensitive information. Contractors working with the Department of Defense, NASA, GSA, and other federal and state agencies face major risks of data loss as cybercrime continues to become more sophisticated. The Department of Defense estimates the value of data lost to our adversaries is roughly $60 billion annually.

The Cybersecurity Maturity Model Certification (CMMC) is a certification and compliance process for the Department of Defense to have confidence that all contractors with defense contracts have the proper controls in place to protect federal contract information and controlled unclassified information (CUI), which is data that is considered sensitive to the interests of the United States but not considered classified. CMMC is designed in part to resolve struggles with NIST cybersecurity standards compliance by recognizing the different needs of different organizations for levels of security.

What is CMMC?

CMMC helps clarify the level of security deemed necessary for defense contractors based on the contract for which the contractor is bidding. There are five levels of CMMC security requirements:

1. Basic – requirements at this level include the use of updated antivirus software and protocols for strong passwords
2. Intermediate – an organization is expected to establish and document standardized policies, procedures, and strategic cybersecurity program plans
3. Good – this level of CMMC requirements is based on NIST 800-171, with 47 security controls and technology security requirements designed to meet standards to protect CUI
4. Proactive – organizations meeting CMMC level 4 requirements have a sophisticated technology security ecosystem designed to evolve with changing needs and audit IT systems to proactively update policies and procedures. Some of the requirements at this level are similar to DFARS requiring contractors to be prepared for advanced and persistent threats.
5. Advanced – the topmost tier of CMMC requirements adds 30 security controls beyond those outlined in level 4, with technical requirements focusing on auditing and management processes.

Why Does CMMC Compliance Matter to You?

All Department of Defense contractors must be CMMC compliant, and our “5 Steps You Need to Take Now: Everything You Should Do to Effectively Prepare for Cybersecurity Maturity Model Certification (CMMC)” outlines a helpful roadmap to navigate CMMC and make sure you have the right systems and controls in place:

Are you NIST 800-171 compliant?

NIST 800-171 requires you to have a System Security Plan (SSP), with a detailed description of your IT system environment, how security requirements are implemented, and how your systems work together or with other systems

Document Plans of Actions and Milestones (POAM)

This is designed to support your ability to correct system deficiencies or eliminate system vulnerabilities.

Implement required controls

Where organizations long ago could bring in a requirements auditor for a week or two to identify your compliance sufficiency level and certify your compliance, today’s complex requirements compliance processes require a far more significant commitment due to the nature of the defense contract. The significance of the data poses a much greater risk today, requiring more stringent and detailed cybersecurity protocols. Partner with a firm well-versed in CMMC requirements for efficiency.

Most importantly, defense contractors need to maintain compliance. Engage a CMMC-AB trained professional or firm for guidance and prep to ensure your business is ready.