If you are a manufacturing company, distributor, or supplier fitting the DIB (Defense Industrial Base) entities and wish to do business with the DOD (Department of Defense) then you must get CMMC Certified as soon as possible.
As for now, the CMMC is not mandatory for all DOD contractors except for the prime 15 but will become a prerequisite for all bidders in the next 4 years. According to the DFARS (Defense Federal Acquisition Regulation Supplement)Case 2019-D041, the date is set to October 1, 2025, after which no organization will be allowed to bid without having at least CMMC level 1 certification.
The DOD introduced the CMMA certification for protection against cybercrime data breaches that cause confidential information leaks shared with federal contractors or subcontractors causing harm to the US national defense.
Not only this, the US government has been facing billions of dollar losses to cybercrime data which is anticipated to skyrocket from an annual $600 billion( sourced from The Center for Strategic and International Studies (CSIS) and McAfee) to a whopping $5 trillion by 2024 ( sourced from juniper research) if mitigation steps aren't taken soon!
A CMMC (Cyber security Maturity Model Certification) is a third-party certification that will indicate to the DOD about your organization's cyber security readiness and how capable your internal framework is in protecting sensitive government data including the Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Know that you have ample time to prepare and take steps to update your company’s security framework but you must act quickly. Not only is the CMMC compliance process long (could go up to 6 months) but quite technical as well. It can take weeks and maybe even months for your company to align with the CMMC DOD requirements and achieve the certification.
Many DIB companies have already jumped on the bandwagon to find cyber security glitches in their security systems and adopt revised practices and procedures to meet the CMMC compliance requirements.
So where do you start?
First things first, you must fully understand what it takes to get CMMC certification training. A CMMC certificate is generally valid for 3 years only. To get a CMMC certificate, a DIB company should follow two main steps;
Step 1: Self-Assessment
Although this step is not mandatory, DOD encourages all contractors to self-assess before paying for the final certification. So, for this, you will have to first complete a self-assessment based on the CMMC Assessment Guidelines posted on the DOD website. These guidelines are periodically updated so you can refer to the newest versions with time.
Step 2: Hiring a CMMC third-party assessment organization (C3PAO)
The second step will be to visit the CMMC Accreditation Body (AB) Marketplace website and select any Authorized or Accredited C3PAOs for your audit.
This C3PAO will be responsible for;
· planning your company's assessment goals
· coordinating with your team for a smooth assessment
· concluding all required contracts and agreements,
· performing the CMMC assessment,
· identifying problems or glitches found
· issuing the CMMC certificate based on a level,
· submitting a copy of the CMCC Assessment Report and the CMMC Certificate to the DOD.
All CMMC certificates will be published on the Enterprise Mission Assurance Support Services (eMASS) database as well as the Supplier Performance Risk System (SPRS).
The CMMC or Cyber security Maturity Model Certification is based on a progressive model made up of 5 levels starting from level 1 (lowest) to level 5 (advanced). As the level ascends, so do more practice and processes add up. These level controls are additional to the security requirements mentioned in NIST SP 800-171.
To win a contract, a DOD contractor must pass the specified CMCC level mentioned in the Requests for Information (RFIs) and Requests for Proposals (RFPs). Each contractor must start from the basic level 1 and progress its way up to reach the advanced level 5.
Here is a list of the levels in the DOD CMMC:
· Level 1: Basic Cyber Hygiene (17 practices)
· Level 2: Intermediate Cyber Hygiene (72 practices)
· Level 3: Good Cyber Hygiene (130 practices)
· Level 4: Proactive (156 practices)
· Level 5: Advanced/Progressive (171 practices)
The Gap Analysis pinpoints your company’s current security status Vs the required CMCC compliance status. During this step, you address areas (security hardware, documentation, internal framework, controls, and practices) of improvement.
The Gap Analysis helps DOD contractors diagnose their security system and determine what remedial steps (if any) are required for CMMC compliance.
This step is the most crucial phase of CMMC compliance as in this stage all technical and non-technical controls are implemented in the DIB company. Additionally, all required but missing paperwork is prepared and potential risks are controlled. Finally, any problems that appear are evaluated and solved as needed.
If you are targeting initial CMMC levels (1-2), this step may extend to 2 months generally, while higher CMMC levels (3-5) may take even more; 6 months to 1 year, depending on the existing security standing of your company.
Another important step in the journey towards CMMC certification is monitoring your current security systems with the new controls and practices in place. These practices should be 100% up and running in your company before the final C3PAO Assessment.
Moreover, any faults or leaks are detected and resolved. Lastly, proofs of readiness are collected including (but not limited to) relevant log files, documents, records, and other data that show what current procedures and functions are active.
This step is typically cumbersome and may take up to several months. If you do not have the expertise in-house, you may choose to get professional help by outsourcing. You can choose between a Managed Security Service Providers (MSSPs) or CMMC Registered Provider Organization™ (CMMC-RPO), which specialize in cyber security and can relieve you with the extra burden.
If you wish to earn a DOD contract, you must submit a fully updated and valid SSP to the DOD for review. Hence the SSP is a critical document for earning the CMMC certification.
Based on the NIST 800-171 and CUI requirements, the SSP must contain information on the flow of CUI between the company systems, as well as, authorized personnel who handle the CUI.
Other information could be workforce security tasks, network flow diagrams, and administration responsibilities.
Get Ready for Final CMMC Audit
Now that your security system is fully prepared for assessment, you can hire a Certified 3rd Party Organization (C3POA) of your choice. The C3PAO will audit your company’s cyber security readiness and report its findings to the CMMC Accreditation Body (CMMC-AB) which will then award you the CMMC certification.
Acropolis is an IT managed services company that can help you prepare for the CMMC Certification by assisting you with any questions that you might have and providing you with the next steps and directions.
If you would like to speak to our team for a discussion about CMMC requirements, fill out the form below or call us at 800.742.6316.