The CMMC – Cybersecurity Maturity Model Certification – is the new cybersecurity requirement for the US Department of Defense’s contractors and subcontractors. It is designed to ensure that companies working with the US government have the proper IT processes in place to protect its data.
CMMC guidelines can be overwhelming, so we have created this two-part explainer for the small- and medium-sized business working with the DoD. For those already familiar with the CMMC, skip ahead to the five essential actions SMBs need to take.
This first part covers the basics of the CMMC for small business owners, including the certification requirements and timeline, and best practices for achieving certification. The next part will look at the costs associated with CMMC and how to minimize them.
Basic overview of the CMMC
The CMMC is still called ‘new’, but it was actually announced in July 2019 and finalized in November 2020. The certification process is ongoing and extends to 2025. The CMMC was created on the foundation of existing security requirements defined under the National Institute of Standards and Technology (NIST). These were given the title NIST 800-171 and released in a document known as DFARS (Defense Federal Acquisition Regulation Supplement) in 2010.
Like NIST 800-171, the CMMC is designed to protect Controlled Unclassified Information, or CUI. Contractors working for the DoD are known as the Defense Industrial Base, or DIB. The mission of the CMMC is “to provide assurance that a DIB company can adequately protect sensitive CUI”, and certification is “a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices to protect CUI”.
What changes will CMMC bring?
As an expansion of NIST 800-171, the CMMC brings three significant changes:
- More levels: It has five levels of security certification where there were previously three. CMMC Levels 1-3 include the security measures previously required by NIST; Levels 4 and 5 introduce additional cybersecurity practices new to the CMMC.
- External audit: Self-certification is no longer possible. All companies who work with the DoD need to be certified by an accredited CMMC Third Party Assessment Organization (C3PAO).
- Stricter controls: Contractors were previously afforded leeway in the form of Plan of Actions and Milestones (POA&M), which could be demonstrated in lieu of unmet controls. Under CMMC this is no longer acceptable, meaning all controls must be met in order to achieve compliance and certification.
Who needs to gain CMMC accreditation and when?
The CMMC applies to any contractor handling Federal Contact Information (FCI) and CUI. A full list of CUI categories can be found here, but essentially they cover nearly all the contractors in the DoD supply chains.
There has been some confusion with the timeline for CMMC implementation, with people wondering what the late 2019 announcement meant for the future of their business, and NIST’s announcement that “The interim CMMC rule became effective on November 30, 2020”.
To help clear this up, the CMMC Accreditation Board held a town hall in early 2021 where they laid out the requirements a contractor has to meet, and by when. It was clear that the CMMC rollout is not something that’s happening immediately with a single deadline. It will be implemented in phases, with the final phase ending with fiscal year 2025. By 2026, the more than 300,000 contractors working for the DoD will need to be certified in at least one of the five CMMC levels.
There are several reasons for this five-year process, chief among them the fact that NIST and the DoD do not yet have enough assessors to handle all of the businesses that need to get certification. Nor do they have the infrastructure/ecosystem built out to support or maintain getting this done.
The rollout begins in 2021, with CMMC becoming essential for a maximum of 15 procurements covering crucial DoD contracts, like those linked to nuclear and missile defense. By 2022, this number is projected to reach 75; then 250 by 2023; 325 by 2024; and 475 by 2025.
Note that CMMC requirements apply to all organizations in the DOD supply chain, meaning DIB companies will need to determine if their vendors are also subject to the new CMMC standards.
How should SMBs prepare for CMMC?
Despite the lengthy rollout, contractors working for the DoD must start preparing for CMMC now. For organizations that already have a high level of cyber hygiene, this process should be relatively painless, but developing procedures, documenting processes, and implementing solutions will be a lengthy task for many. For this reason, a minimum of six months should be assigned for achieving compliance.
What does CMMC mean for small business? Since the guidelines can be overwhelming, here are the 5 essential actions that the average SMB needs to take:
- Review implementation of NIST requirements
Because the CMMC is an expansion of the NIST 800-171 requirements defined in DFARS, it is essential that businesses planning for CMMC ensure they are following them now. Organizations handling only FCI need to achieve CMMC Level 1, which covers basic practices such as utilizing anti-virus software and strong password management.
The majority of those handling CUI will need to achieve CMMC Level 3 or higher. Level 3 encompasses all of the NIST 800-171 requirements plus some additional practices, and requires an organization to establish a plan for maintaining compliance. This is likely to be the most common challenge for SMBs. For any business wondering how well they meet the demands of the CMMC, a gap assessment will identify weaknesses in cyber hygiene and the quickest way to address them.
- Adopt good CUI cyber hygiene practices
Organizations should begin preparing by locating, identifying, and categorizing CUI in their systems. The most sensitive data should be separated and secured using encryption, access controls, system security, software patching, and employee security training. Procedures for monitoring and documenting access to CUI must also be implemented, as well as protocols for detecting, responding to, and recovering from data breaches.
- Demonstrate continual progress towards compliance
Documentation is a key element of CMMC, and small business contractors should start methodically tracking their compliance practices, policies, and progress now. This will demonstrate their ability to perform tasks in a repeatable way. Building and sticking to a Plan of Actions and Milestones (POA&M) is a good way to oversee this process. Budgeting is also essential in ensuring an organization can absorb the additional costs of CMMC. Read more about the costs associated with CMMC here.
- Conduct a preliminary self-assessment
As of the end of November 2020, the first step for all contractors in the DIB is to complete their preliminary self-assessment. To avoid the expense of a failed audit, this pre-assessment is essential. Advisory groups can offer guidance on carrying this out in-house, or a compliance specialist can be enlisted to conduct the assessment on an organization’s behalf.
- Stay up to date on the latest developments
Since the CMMC rollout is still in its early stages, it is important to be aware of updates and developments by regularly visiting the DoD’s CMMC website.
Need help preparing for CMMC?
As an expert in regulatory compliance, Zeta Sky helps contractors prepare for the CMMC. For security and vulnerability testing, or guidance on CMMC self-assessment, schedule a Discovery Session with Zeta Sky today.