How to Become CMMC Compliant
In the coming years you will need to achieve the new Cybersecurity Maturity Model Certification to bid for many (and eventually most) Department of Defense contracts or work as a subcontractor. Here’s what you need to know and do to become CMMC compliant.
CMMC is a framework for cybersecurity standards with contractors (and their entire supply chain) achieving certification at one of five levels. Independent assessors verify whether contractors have met the standards and whether to certify them. Future DoD contracts will require certification at a specific level.
CMMC took effect as an interim rule from 30 November 2020. Although the rule is already effective, it will need to go through a Congressional review. A limited number of contracts will have CMMC requirements in 2021, with the number steadily increasing each year until 2025. The current plan is that almost all DoD contracts will have a CMMC requirement from the fiscal year 2026 onwards.
Assessment and Accreditation
Contractors must be certified by an independent assessor known as a CMMC Third Party Assessment Organization (C3PAO). The assessors are authorized and accredited by the independent CMMC Accreditation Body. Contractors cannot assess their own business or self-certify.
Contractors can find and select an assessor through a central CMMC “Marketplace”, filtering results by industry area, location or specific search terms. Assessors will compete on price to some degree.
Certification covers five levels. Contractors must achieve certification at each level in sequence (from 1 to 5) before applying for assessment at the next level.
The fact a contractor has received certification is public knowledge. Which level they have achieved will not be made public but will be known to the Department of Defense.
The measures required for certification are categorized into 17 broad areas of cybersecurity known as domains. Each domain is sub-divided into capabilities (43 in total) and then into 171 specific measures known as practices. Each practice is tied to a particular certification level, but not all domains have a practice at every level.
A contractor can only be certified at a level if the assessor concludes they have met the requirements for all practices at that level.
The assessment process will vary between levels, reflecting the “maturity” process of improving security. Level one assessment is largely an objective checklist of basic security measures. Levels two and three involve a closer examination of a contractor’s measures along with its overarching processes and approaches. Level four requires a contractor to develop and enact a culture and process of proactive security measures. A contractor achieving level five will have optimized their entire security setup.
A CMMC certificate is normally valid for three years before re-assessment is required. The DoD may order a re-assessment if a contractor is involved in a security breach but this isn’t an automatic consequence.
Prime contractors will be responsible for making sure their sub-contractors and suppliers have the appropriate CMMC level certification for the particular contract. This responsibility will flow down the entire supply chain.
Your Next Step
Whether you’re planning on taking steps toward becoming CMMC compliant or you simply want to boost your company’s cybersecurity, we can help. Contact us today for more information or to arrange a review of your set-up.