What Engineering Firms Need to Know About CMMC

Any firm that does business with the Department of Defense, prime contractors or subcontractors, must be CMMC (Cybersecurity Maturity Model Certification) certified.  Once the standard is fully in effect, the simple rule will be: No certification, no contract.

Notable Changes CMMC Compliance Will Require 

This represents two seismic shifts from the current model.  Previously, contractors were responsible for implementing and documenting cybersecurity requirements.  However, they were able to self-certify, or sign an attestation, that they believed they were compliant.  Under CMMC, newly created third-party auditors called CMMC Third Party Assessment Organizations (C3PAOs), must certify an organization’s compliance. 

Second, CMMC is a massive update and overhaul of the previous standards.  Most DoD contracts fall under DFARS (Defense Federal Acquisition Regulation Supplement) compliance.  The new standard updates the old frameworks to better reflect the modern workplace, as well as aligning with frameworks such as FedRAMP, NIST, and ISO.  It is also built to align with U.S. allies’ cybersecurity standards. Meaning it could end being a federal-wide, or even global, cybersecurity standard.

Speak with one of our CMMC specialists today
Steps for Achieving CMMC Certification

The CMMC was announced in mid-2019 and version 1.0 was published on January 30, 2020.  The framework consists of a set of 17 domains that are mapped across the five cumulative levels (Level 5 includes Levels 1-4). There are 171 cybersecurity best practices mapped across the five levels.  All of this is designed to serve as a verification mechanism to ensure that companies protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks. 

For Engineering firms that are currently prime or sub-contractors, or those that aspire to be, CMMC represents an immediate need to assess where they fall on the five maturity levels. While there have been delays, the rollout is inevitable.  RFIs and RFPs will soon include minimum certification requirements. 

As with many cybersecurity standards a lot of effort goes into documentation.  This includes company policies, a well-maintained plan that covers all related activities, and, in some cases, third-party vendors’ policies and certifications. 

Working through the documentation for internal controls, third-party vendors, and 171 best practices represents a workload that is probably too much for most internal IT teams.  They are typically staffed to handle the day-to-day IT operations and strategic projects of the organization.  Company leaders tackling CMMC certification will have to consider the right approach – staffing up, bringing in a team of out-sourced experts as contractors, or partnering with a vendor that can provide ongoing Compliance as a Service.

Some services might need to be upgraded.  Moving from off-the-shelf Office 365 to Microsoft’s Government Community Cloud (GCC) or Azure Government services.  Even your WIFI access points may need to be upgraded to comply with FIPS 140-2 cryptographic requirements.  Although the Windows Operating System has been FIPS 140-2 compliant for WIFI since Vista. 

We expect engineering companies will have much work to do to bring their cybersecurity controls up to the new standard.  According to Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in the Department of Defense who is leading the federal CMMC effort, “(o)nly 1%” for companies have implemented all of the NIST controls.  (Source)  This applies to the entire supply chain of approximately 300,000 vendor companies.

How a CMMC Consultant Helps with CMMC Certification

Our guidance is, first, for the firm’s executive and IT teams to review the 1.0 draft of CMMC. Second, develop an understanding of the scope of the impact of CMMC on the organization.  

For some organizations, CMMC compliance may only apply to a small part of the organization and the scope can be relatively narrow and defined.  For others, the scope may be organization-wide.  Next, conduct a current IT infrastructure assessment[AP1] .  

Organizations might want to begin the process of self-assessment based on the CMMC Assessment Guides from the DoD website to get a better idea of how much work might be involved in becoming compliant (whether from upgrades, documentation, policy and process creation).  Then the company leaders and IT teams can begin to plan for the necessary capacity upgrades and vendor engagements that will get them to compliance.

TrinWare’s CMMC Compliance Services

At TrinWare, our Next Generation IT Managed Services team of experts has the tools to start from an IT Infrastructure Assessment, bring an organization to a fully CMMC compliant state, and provide ongoing Compliance-as-a-Service.  

We help organizations remediate, upgrade, and develop the policies and procedures to get to their required CMMC level.  We have a DFARS, NIST, ISO and CMMC documentation platform that ensures ongoing compliance.  It allows an organization to adapt and change while remaining compliant across frameworks.  It is a comprehensive approach that goes beyond generic policies.  It is the foundation of your CMMC cybersecurity program.

Speak with one of our CMMC specialists today