The CMMC (Cybersecurity Maturity Model Certification) is replacing the previous cybersecurity self-assessment process known as DFARS (Defense Federal Acquisition Regulations System), which made businesses contracted to work with the Department of Defense (DoD) responsible for their own compliance. CMMC certification is achieved through external auditing, and failing will result in your business being unable to work with the DoD as a contractor, or even bid on contracts.
Read this CMMC audit guide to learn more about CMMC compliance, levels, timelines, and how to prepare for your CMMC audit.
What is CMMC compliance?
The CMMC is a new certification program for all DoD contractors who work with controlled unclassified information (CUI) and federal contract information (FCI). It comprises five different levels that gauge a business’s cybersecurity hygiene from Basic to Advanced.
Unfortunately, the DoD found too many of their contractors to be DFARS noncompliant, resulting in several data leaks and compromises in recent years. The new program will involve a mandatory third-party certification in the form of the CMMC Audit.
Who needs CMMC certification?
Any company contracted to work with the DoD that handles CUI or FCI in any capacity is required to comply with the National Institute of Standards and Technology (NIST) 800-171 regulations outlined in DFARS. If your business has worked with CUI or FCI in the past, the groundwork for complying with the lower levels of CMMC is already there.
CMMC consists of five levels of security clearance, the first three of which are equivalent to the original DFARS requirements. If you’re a small business that handles FCI or a minimal amount of CUI, the new compliance requirements outlined in CMMC should largely match your previous DFARS obligations, which means you’re already well on your way to complying with the lower levels.
If you’re a large business that regularly deals with CUI, you will need to upgrade your security. The DoD will assign you a CMMC level based on the amount of government information your organization handles. It will then be up to you to meet the CMMC requirements outlined by that level and seek out an audit to officially achieve your certificate.
💻 To learn more about who needs to be CMMC compliant, read our article Cybersecurity Maturity Model Certification (CMMC): What Manufacturers Need to Know.
What is a CMMC audit?
A CMMC audit is an assessment of your business’s cybersecurity by an accredited CMMC third-party assessment organization (C3PAO). Since CMMC is still in development, the CMMC Accreditation Body (CMMC AB), composed of volunteers working independently of the DoD, is also still developing as an organization. This means it will still be some time before third-party assessments will be available, as assessors are still in training. All companies that contract with the DoD will need to reach CMMC compliance by 2025.
But don’t breathe a sigh of relief just yet — preparing for a CMMC audit will take a lot of time, and the number of organizations within the Defense Industrial Base (DIB) is in the hundreds of thousands. When audits become available, they’ll be in seriously high demand, so it’s important to get the process started right away.
CMMC compliance timelines
According to CMMC Audit Preparation, the current timelines are as follows. Note that these dates continue to change, so check the CMMC Audit website regularly for the most up-to-date information.
The current timelines (as of October 2020) are:
- Mid 2020: Third-party auditors begin applying for accreditation
- Late 2020: Several (less than 20) DoD contracts are chosen to be the first to require CMMC certification
- Late 2020: Bidders on the trial DoD contracts start getting audited
- November 30, 2020: DFARS is modified to require submission of cybersecurity self-assessment for contract award. CMMC officially phased in over five years.
- Between 2021 and 2025: New Requests for Proposals (RFPs) gradually begin requiring CMMC certification.
The five CMMC levels
There are five different CMMC levels that signify the level of security your business needs to achieve. Your level is determined based on the size of your business, the type of work you are contracted to perform, and how much CUI you handle. Levels 1 and 2 contain fewer requirements than previously outlined in NIST SP 800-171, Level 3 is equal to NIST SP 800-171, and Levels 4 and 5 contain more security requirements than previously defined in NIST 800-171.
Level 1: Basic Cyber Hygiene (17 security requirements)
Level 2: Intermediate Cyber Hygiene (63 security requirements)
Level 3: Good Cyber Hygiene (110 security requirements — equal to NIST SP 800-171)
Level 4: Proactive (136 security requirements)
Level 5: Advanced (140 security requirements)
CMMC audit preparation tips
CMMC certification is through an audit performed by an accredited CMMC third-party assessment organization (C3PAO). To help contractors meet the new obligations, the DoD authorizes Registered Provider Organizations (RPOs) to provide CMMC consulting and support. RPOs are trained in CMMC methodologies and trusted by the DoD to provide CMMC audit preparation. Partnering with an RPO will simplify and accelerate the auditing process.
Determine CMMC certification level
How you prepare for your audit depends entirely on the level of CMMC certification you require. Small businesses that don’t work with CUI may need to do very little, whereas larger entities will have to implement a long list of additional security requirements in order to achieve CMMC compliance.
Levels 1 and 2 are for DoD contractors that do not generally deal with CUI. For example, most resellers will fit into this category.
Levels 3 and 4 apply to DoD contractors that handle CUI, including information such as schematics for DoD equipment. For example, a contractor with plans for maintenance equipment that’s on the CUI network will require CMMC Levels 3 and 4.
Levels 4 and 5 are at the high end and apply to contractors who need more sophisticated cybersecurity to protect CUI targeted by cyber adversaries, or advanced persistent threats (APTs). For example, businesses dealing with weapon test results or detailed manufacturing schematics.
Assess your current state of security
The next step is understanding your current state of security. If you are already following all of the previous NIST 800-171 requirements, and you only need a certification of Level 1–3, you may have very little to do to become compliant.
Complete a thorough assessment of your current state of cybersecurity to determine what steps you need to take to achieve and maintain CMMC compliance. Even if you only need low-level certification, it’s still important to assess your current procedures to ensure nothing has slipped through the cracks. Since you were previously responsible for assessing yourself, there could be requirements you didn’t know you were missing or protocols that need updating.
Curious to see where your business stands? Read our article How to Use an S2Score to Measure Your Organization’s Security Risk.
Establish a security roadmap
Based on your results, what do you need to do to achieve a successful assessment? Create a roadmap of the steps you need to take to become compliant in time for your CMMC audit.
Ensure you are able to get protocols and security measures in place in time for your CMMC audit by working backward from the time you need to be assessed. Give yourself extra time in case you experience complications along the way. There could be long wait times for audit appointments, and you don’t want work to be delayed due to a certification failure along the way.
Get prepared with a COUPLE of GURUS
a COUPLE of GURUS is a CMMC Registered Provider Organization. As an RPO, we can ensure your organization is ready to pass the CMMC audit, whether you are applying for Level 1 or Level 5.
Contact a COUPLE of GURUS about the S2Score and how it can prepare you for your CMMC audit.