Everything You Should Do to Effectively Prepare for Cybersecurity Maturity Model Certification (CMMC)

By Eric Noonan • July 18, 2019

CyberSheath has attended multiple listening sessions and events with DoD leadership revealing more information regarding the DoD Cybersecurity Maturity Model Certification (CMMC).  I want to expand on our previous blog with the additional details and actionable plans on what DoD contractors need to do to prepare for the changes.

What We Understand about CMMC so Far

CMMC stands for “Cybersecurity Maturity Model Certification” and will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid. DoD will determine the appropriate tier (i.e. not everything requires the highest level) for contracts they administer and the required CMMC level will be contained in sections L & M of the RFP making cybersecurity an “allowable cost” in DoD contracts. CMMC level requirements will begin appearing in DoD RFP’s as soon fall 2020 and Version 1.0 of the CMMC framework will be available January 2020 to support training requirements. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information. DoD contractors are expected to begin achieving certification sometime after June 2020. That is less than 12 months away so if you have not started implementing the NIST 800-171 security requirements, you had better get moving.

How to Best Prepare for CMMC and Stay Eligible for DoD Contracts

All companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes. The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. If you have worked to implement NIST 800-171, your hard work will not go to waste. Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity and does not allow for self-certification. There will be no CMMC self-certification, instead, DoD contractors will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment.

Everything You Should Do to Effectively Prepare for Certification

All the information shared to date on CMMC maturity levels aligns with the implementation of the 110 security requirements of NIST 800-171. The DoD is building on and strengthening not abandoning NIST 800-171. While the specific maturity levels for individual contracts have not been determined it’s understood that implementing the NIST 800-171 security requirements is the best way to prepare for CMMC. Meeting your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 implementation is how you prepare for CMMC.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to prepare for CMMC in a way that fits your business and budget.

5 Steps to CMMC Preparation

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.