CMMC - What It Is, Why You Need It,
and How to Get It
Did you know that an estimated $600 billion is drained from the global GDP annually? At this rate, it’s no wonder cybercriminals are persistently searching for ways to penetrate their targets’ defenses. And with over 300,000 US Department of Defense (DoD) companies and subcontractors, the defense industrial base (DIB) is one of the biggest targets for cyberattacks. If cyberattacks on the DIB are successful, breaches of intellectual property (IP) could substantially weaken United States defense capabilities and threaten national security. Consequently, cybersecurity is paramount for the DIB.
However, this is where things get complicated. How can the DoD meaningfully and objectively evaluate a DiB organization’s cybersecurity practices and processes? When it comes to cybersecurity, questions are more involved, typically requiring more than simple “yes” or “no” answers. To streamline the evaluation of an organization’s cybersecurity practices and simultaneously increase the security and resiliency of the DIB, the DoD created the Cybersecurity Maturity Model Certification (CMMC).
What is the CMMC?
The CMMC is a certification the US Department of Defense recently implemented. It was conceived to represent a unified cybersecurity standard and ensure controlled unclassified information (CUI) and federal contract information (FCI) are protected from disclosure or unauthorized use.
The CMMC exists to:
- Ensure suppliers and contractors know what is needed to defend themselves against (current and future) cyberattacks
- Verify contractors have robust controls to protect CUI
- Validate cybersecurity practices and processes and provide assurance to the DoD
- Ensure that an organization’s cybersecurity compliance is sufficient to handle its associated level of risk
- Encourage improved cyber hygiene at a manageable cost
The new CMMC requirements will be phased into DoD contracts, replacing and combining previous NIST, ISO, and DFARS security controls. The DoD will be adding CMMC requirements into their contracts, but the CMMC accreditation board (CMMC-AB) issues the accreditations. With the upcoming transition to CMMC, the AB needs to work fast enough to meet DoD timelines to ensure there is an ample supply of assessors to meet the demand of the (eventual) 300,000 DoD contracts requiring assessment. To aid in the shift, the DoD is rolling out this CMMC accreditation slowly – starting with only 15 in 2021 before taking effect in all contracts beginning in 2026. That’s right; the CMMC requirements will apply to all DoD contractors and subcontractors.
What Are the Differences Between the CMMC and Previous Certification Requirements?
- Level 1 – Organization performs processes and practices basic cyber hygiene
- Level 2 – Organization documents processes and practices intermediate cyber hygiene
- Level 3 – Organization manages processes and practices good cyber hygiene
- Level 4 – Organization reviews processes and practices proactive cyber hygiene
- Level 5 – Organization optimizes processes and practices advanced and proactive cyber hygiene
Although these levels vary between organizations, there are key differences between CMMC and previous certification models:
1. No self-attestation allowedThe CMMC seeks to eliminate the risks of self-attestation with previous certifications that allowed companies with security gaps to continue providing products and services to the DoD.
2. Certification is pass/failThe CMMC does not allow for partial compliance and Plan of Action Milestones (POAM). Missing even one category during an audit will result in complete CMMC failure, requiring a re-assessment and repeat audit once the issue has been addressed.
3. Certain contracts have specific certification level requirementsFailing to acquire the correct CMMC as specified in the contract requirements can make your company ineligible to win contracts either as the primary or subcontractor.
Why Do Businesses Need the CMMC?
First and foremost, businesses need the CMMC to mitigate risk. The DoD relies on its extensive network of contractors to execute its mission, meaning that they are entrusting each one of them with critical and confidential data that inherently increases the total risk profile of the DIB. Security breaches within the DIB are something everyone should be concerned about!
Secondly, having an appropriate CMMC certification can distinguish your organization from your competition when bidding on government contracts. For those reluctant to accept this, here’s the reality: achieving this certification is a necessary and urgent step towards winning and retaining contracts with the DoD and other U.S. federal agencies.
How Do Businesses Get CMMC Certified?
Under new CMMC guidelines, organizations must be audited by a Certified Assessor (CA) working under a Certified 3rd Party Assessment Organization (C3PAO). Once an organization passes the audit with a CA, the CA will report to the AB, who will ultimately present the organization with the certification.
If you’re worried about your organization’s ability to pass the CMMC audit, you can schedule a readiness assessment as a precursor to acquiring the actual certification, ensuring your organization is successful the first time around.
We understand that this process can seem daunting. Luckily, designDATA is here to help. We are able to perform the CMMC readiness assessments necessary to get you audit-ready. We are also in the final stages of approval from the CMMC-AB to become a C3PAO and have several employees on track to become CAs. These approvals will allow designDATA to perform CMMC audits and issue official certifications for levels 1, 2, and 3, giving your business all the tools it needs to succeed! Find out more about our CMMC support here, and do not hesitate to get in touch with any further questions.