What is Cybersecurity Maturity Model Certification (CMMC) Compliance

The Defense Industrial Base (DIB) sector manages a wide array of sensitive data as part of the supply chain for the United States Department of Defense (DoD). As more nation-state cybercriminals look to steal information or interrupt mission-critical defense operations, they increasingly target the DoD’s supply stream, including subcontractors who work with larger defense contractor […]

The Defense Industrial Base (DIB) sector manages a wide array of sensitive data as part of the supply chain for the United States Department of Defense (DoD). As more nation-state cybercriminals look to steal information or interrupt mission-critical defense operations, they increasingly target the DoD’s supply stream, including subcontractors who work with larger defense contractor partners. To enhance the security and resiliency of the DIB sector, Cybersecurity Maturity Model Certification (CMMC) compliance focuses on protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

What is the Cybersecurity Maturity Model Certification (CMMC)? 

The CMMC is a maturity model, not a regulation, meaning that it is a set of best practices for establishing policies and procedures enabling organizations to set benchmarks for measuring their cybersecurity programs. As organizations add more policies, processes, and controls, they become “more mature,” reducing data breach risk, which ultimately provides greater confidence in their ability to protect sensitive government data.

Since DoD contractors need to meet a variety of different cybersecurity compliance requirements, CMMC aligns with other mission-critical standards and frameworks, including: 

• Federal Acquisition Regulation (FAR) Clause 52.205-21
• National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171
• Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012

Fundamentally, CMMC establishes a consistent approach to cybersecurity across the DIB so that the DoD and its contractors can standardize their controls. 

Who needs CMMC certification? 

Any company with a DoD contract will ultimately be required to be CMMC certified, including small businesses. With the CMMC, the DoD has a way to certify the cyber readiness of both its largest contractors, or “primes,” and smaller businesses that subcontract through primes. 

As a small business, you may feel that this is an overburdensome requirement. However, looking at the 2020 Cost of a Data Breach Report, third-party software vulnerabilities led to 16% of malicious breaches and increased the overall average costs of a data breach by $207,411. 

For the DoD, an SMB with an immature cybersecurity program can lead to a security incident compromising national security. A single successful phishing attack at an SMB who subcontracts with a prime leaves a ripple effect throughout the entire supply stream. For example, if one of your organization’s users has a compromised password that is also used as a login with the prime contractor, then that prime’s data might be compromised as well. If that prime’s data includes confidential information, cybercriminals can now steal that data. 

While CMMC compliance appears overburdensome, the DoD is attempting to create a standardized approach throughout the supply chain to ensure continued protection of sensitive information. 

What are CMMC levels? 

As a maturity model rather than a prescriptive standard, CMMC assigns a company a “level” that aligns with a cybersecurity journey. Each maturity level aligns with a set of policies and processes indicating how well a company manages its cybersecurity. The CMMC establishes 5 different levels:

• Level 1: Performing best practices for cyber hygiene but often on an “ad hoc” basis
• Level 2: Documenting processes for consistency as intermediate cyber hygiene
• Level 3: Managing processes for good cyber hygiene programs. 
• Level 4: Reviewing and measuring activities for a proactive cybersecurity program
• Level 5: Optimizing and standardizing processes across the organization for an advanced/progressive cybersecurity program

Often, SMBs find that they are engaging in basic cyber hygiene practices but not documenting their activities. For example, you’re likely already using and updating antivirus software. However, if you’re not documenting how often you update the software to ensure continued best practices, you’re a Level 1. If you have a cybersecurity policy that defines how you use antivirus software and how often you apply software updates, you practice Level 2 capabilities. 

Each level adds another layer of monitoring, governance, and documentation as your organization increases its program’s capabilities. 

How does an organization get CMMC certified?

Getting CMMC certified requires going through a series of steps that all lead up to a final audit done by an external third-party auditor. 

At present, the majority of the documentation set forth by the CMMC Accreditation Body (CMMC-AB) is general. However, the steps laid out to date indicate that CMMC certification will follow ten steps, similar to other certification processes:

1. Understand requirements
2. Define your scope: full enterprise, organization unit, or singular program
3. Identify the desired maturity level necessary for the types of contracts you bid on
4. Potentially engage in a pre-assessment using a Registered Provider Organization (RPO) or CMMC 3rd Party Assessment Organization (C3PAO)
5. Close identified gaps
6. Find a C3PAO on the CMMC-AB marketplace
7. Conduct the assessment using the C3PAO’s Certified Assessment Team
8. Resolve findings within 90 days
9. Submit assessment to CMMC-AB for review
10. Obtain 3-year certification

Demonstrating Compliance with CMMCplus

As a subcontractor, CMMC compliance and certification can feel overwhelming, yet by 2025 it will be a requirement for any organization that relies on DoD contracts. CMMCplus is a web-based tool that helps SMBs navigate CMMC compliance. Companies can walk through an initial assessment that helps them determine their CMMC Level and engage in a preliminary review of the controls needed to meet compliance requirements. 

We also work with several CMMC RPOs and C3PAOs so that we can connect you with partners who can help you manage the audit requirements and understand the needs of SMB contractors and subcontractors. 

For more information about how we can help you achieve CMMC certification, contact us today.