How CMMC is a Unique and More Robust Mandate

By William Maki • June 21, 2021

As your organization is gearing up to start the process of attaining Cybersecurity Maturity Model Certification (CMMC), it is important to know how this cybersecurity standard compares to other regulations.


Five Ways that CMMC Differs from Other Laws.


1. CMMC is a certification.

Most regulations, laws, and mandates are attestations, but CMMC is more than that. It requires a third-party audit to certify that your organization is adhering to the cybersecurity practices and procedures the standard outlines. The audit must be completed by a CMMC third-party assessor organization (C3PAO), that will then make a recommendation to the accreditation body (AB) as to if your organization meets the certification requirements. Often attestations simply require a company to claim that they are compliant, relying on organizations to honestly self-report on their status without requiring information and artifacts for confirmation.

Seeking certification will significantly impact organizations. Each company must decide if they are going to take CMMC seriously, dive in, and get it done. Does the potential revenue from bidding on and securing DoD contracts make this effort worthwhile? Only your organization can make that important decision for itself.


2. CMMC is an audit and not a point in time assessment.

In order to count as completed and apply toward certification, the controls must be mature. An audit typically reviews organizational policies and behavior over a period of time. With CMMC, they want to look at the maturity of the processes. It’s not just about the product, software, and tools–it’s also about the process, procedures, and organizational learning around each control.

For example, with a point in time assessment, what often happens is an organization quickly implements the control or writes the policy, but that does not mean that that policy is fully implemented. Whereas with a CMMC audit, if a company has an acceptable use policy, the audit will review that policy, including the date it was created, timeline of changes to it, and other proof that it has been in place and is truly part of the way the company operates.


3. CMMC is piloted.

Most laws or regulations are introduced quickly with organizations receiving little to no guidance, other than the necessity of being compliant by a certain date. The DoD and AB are rolling CMMC out in a controlled manner to address any issues upfront. This approach also provides companies the time they need to determine what the mandate requires, as well as the opportunity to implement any new processes or procedures before certification is mandatory. CMMC will not be fully implemented until late 2025. Each year the AB will require a few more contractors and subcontractors to be certified.


4. CMMC is pass/fail.

If your company fails to comply with the requirements of certifications, you will be forfeiting your ability to secure valuable contracts from the DoD. As mentioned above, other regulations are self-reported attestations. If a company does not initially pass CMMC certification and therefore isn’t recommended to be certified by the AB, they reportedly have a 90-day period to remediate, address minor issues, and resubmit.  Any major deficiencies will require undergoing another assessment.

Your time commitment and the difficulty of passing CMMC depends on the size of your organization and maturity level you are hoping to attain as dictated by the type of contracts you wish to bid on and the types of information your company receives.


5. Interim scoring system promotes early adherence.

The Supplier Performance Risk System (SPRS) interim scoring allows your organization as well as the DoD to see how you are doing. The score can range from negative 203 to a perfect score of 110 if your company has implemented all 110 controls of NIST special publication 800-171 properly.

Under the current DFARS rule, all companies doing business with the DoD must log their SPRS score. The assessment that happens as you determine your SPRS score is extremely helpful as you build your remediation plans to address your compliance deficiencies. As you improve your cybersecurity by implementing better practices, you may update your SPRS score, notifying the DoD of your commitment to meeting their requirements.

SPRS is a helpful centralized tool to help you get ready for CMMC. It is a stepping stone to monitor your progress and to help you get to where you’ll need to be by the 2025 deadline.


Next Steps

If you have any questions about CMMC and how to make your path to compliance easier, get in touch with the experts at CyberSheath. We can help you assess where your organization is now, build a plan to enable you to reach compliance, and help you implement the processes and technology required. Contact us today to get started.


CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO