Cybersecurity Maturity Model Certification (CMMC) is a new system to make sure Department of Defense (DoD) contractors have an adequate level of cybersecurity to work on a specific contract. It means an end to self-certification for cybersecurity, replaced with independent assessment.
Why Does CMMC Matter to Me?
CMMC compliance can affect your eligibility in two ways. First, you must achieve the lowest level of CMMC to bid for any DoD contract that involves handling Federal Contract Information.
Secondarily, an increasing share of DoD contracts involving Controlled Unclassified Information now require a specific level of CMMC. Eventually, this will be the case for all such contracts.
Responsibility in the supply chain works on a flow-down basis. That means each prime contractor (dealing with the DoD directly) checks that all subcontractors and suppliers further down the supply chain hold an appropriate certification for the work they will do and the information they will handle.
CMMC is made up of 171 different practices, each of which is a specific cybersecurity measure. Many will be familiar from the NIST 800-171 standard.
These practices have two organizational patterns: by subject and by a “maturity level” that shows the level of security sophistication.
The subject organization involves 17 domains (broad topics) covering 43 capabilities (narrower topics.) The five maturity levels range from 1 (basic) to 5 (optimized).
To achieve a CMMC compliance level, your organization must go through an independent assessment from an assessor that the CMMC Accreditation Body approves. You can hire the assessors through a central “marketplace,” but note that there is an element of price competition.
You start with an assessment for level 1 and must pass it before moving to the next level. You will only achieve a level if the assessment shows you are carrying out every practice for that level.
The nature of the assessment changes as the levels increase. Level 1 is largely a “pass or fail” checklist, and higher levels put more emphasis on your overall cybersecurity management and procedures.
When you achieve a level, you receive a CMMC certificate. Although your certification is normally valid for three years, you may need reassessment if you suffer a security breach.
Only the fact that you hold a CMMC certificate is public knowledge. The specific level you hold is not public knowledge but is known to the DoD.
Because the list of required practices for each level is public knowledge, there is no need to cross your fingers and hope you achieve a particular level. The more sensible approach is to carry out an internal assessment and fix any shortcomings so you can be more confident about passing a level.
This approach reduces the risk of unexpectedly failing an assessment and thus limiting or delaying your opportunities to bid for a wide range of contracts. That could be problematic in the coming months where the sheer number of contractors getting assessed for the first time could mean delays in booking a reassessment after an initial failure.
While you could do this entirely in-house, you may find it time-consuming and confusing if you aren’t an expert in the certification requirements. Most times, the best approach is to hire a CMMC consultant like TrinWare who can look for shortcomings and suggest changes before you complete the formal assessment itself.