Cybersecurity Maturity Model Certification (CMMC)
CMMC Updates and FAQs
What is CMMC and How will CMMC Affect the DoD Acquisitions Process?
CMMC stands for “Cybersecurity Maturity Model Certification” and will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid.
Check out this blog to understand the path forward for DoD contractors: Read Now
DoD will determine the appropriate tier (i.e. not everything requires the highest level) for contracts they administer and the required CMMC level will be contained in sections L & M of the RFP making cybersecurity an “allowable cost” in DoD contracts. CMMC level requirements will begin appearing in DoD RFP’s as soon fall 2020 and Version 1.0 of the CMMC framework will be available January 2020 to support training requirements. By June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information. DoD contractors are expected to begin achieving certification sometime after June 2020.
All companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes. The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.
In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. There will be no CMMC self-certification, instead, DoD contractors will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment.
Check out this blog to learn how to prepare for CMMC: Read Now
How to Prepare for the CMMC
CyberSheath advises focusing on what you are required to do today as the best approach to current and future compliance requirements. Nothing that has been proposed eliminates the requirement to implement NIST 800-171.
There is no easy way to achieve compliance with all 110 security requirements and CMMC is still an evolving model, but there is a practical and efficient way to move beyond product vendor promises and follow a strategy that guarantees long term success.
Don’t delay any longer, CMMC is coming, download our 5 Steps to avoid penalties and make compliance a documented, automated outcome of day-to-day operation.