CMMC which stands for Cybersecurity Maturity Model Certification is the latest set of guidelines as prescribed by the DOD that implements the deadline for contractors to meet the new rules as it relates to cybersecurity practices and policies. This will need to be adhered to strictly by organizations that operate under the Defense Industrial Base (DIB).
These new guidelines began in November 2020 by self-auditing existing contractors of the need to become CMMC certified. By the start of January 2021, the new guidelines were already in effect and will need to be fully enforced by the end of 2026. This could mean an overhaul of the entire cybersecurity services or program for small businesses that operate within the framework.
While the aim of this initiative is for industry transformation by the end of the deadline, nearly 60% of the companies operating in the industry still aren’t aware of what is contained in the initiative. The necessitated the need for a guideline to let everyone involved become aware of what to expect. There is still a lot to do to bring companies up to speed about the need for compliance with the new requirements. And as already notified by the DOD, companies who make the effort to comply will benefit the more.
As It Stands
Only 42% of companies are familiar with the CMMC guidelines with only a percentage of companies successfully implementing NIST practices. And this is the actual framework that supports the requirement for CMMC.
What is Required?
To meet the full standardization of the certification, businesses operating under the framework according to the Department of Defense will need to meet the following requirements,
- Achieve five levels of certification
- Each level will need to be built on the previous one
- At attaining level 5 certification, companies will need to meet 171 practices
- The position of a company in the supply chain will depend on the certification required
Industries that Will Are Required to Obtain the CMMC
Ideally, anyone operating in the DOD supply chain will need to do well to get certified. The Department of Defense already postulates that the new standards will be challenging for nearly or more than 300,000 companies to meet. A certification between level 1 and level 3 will be necessary to qualify for government contracts.
The standards will need to be met by companies that deals with controlled unclassified information (CUI) and the companies that fall under this sector include
- Tax
- Provisional
- Statistical
- Privacy
- NATO
- Nuclear
- Legal
- Procurement and acquisition
- Proprietary Business Information
- International Agreement
- Financial
- Export Control
- Intelligence
Many other sectors will need to make it a must to fulfill the minimal obligations to be able to secure DOD contracts moving forward. In addition, subcontractors will also need to meet the relevant documentation which is the minimum CMMC 1 to be able to get contracts from the DOD. This link https://www.federalregister.gov/agencies/defense-department has more on the functions of the DOD.
Meeting the Requirements
For each level of certification, each contractor will need to exhibit beyond reasonable doubt that they meet the requirement after scrutiny.
Level 1
A basic cyber hygiene pass will be needed to get the CMMC level 1 certification. Many of the existing contractors already have what it takes to meet this certification and will only need to get certified by a third-party assessor organization. This will be enforced by simply checking that they meet the practices as set by NIST SP 800-171 Rev 1.
Level 2
An intermediate cyber hygiene level will need to be achieved to get the level 2 certification of the CMMC. A total of 72 practices will need to be met as set by NIST SP 800-171 Rev 1.
Level 3
For level 3, a good level of hygiene will be needed. This will help with securing contracts faster than levels 2 and 1. At this third level, a total of 130 practices will need to be met by the contractors to secure contract bids.
Level 4
This is a high level of cybersecurity response that enables a contractor to respond to the incidence of cybersecurity and prevent occurrence. You can check this page on how to prevent cybersecurity breaches.
Level 5
This is the highest level and at this stage, a contractor can boast of progressive/advanced cybersecurity and have fully matured to the capacity of optimizing processes.
Final Note
Contractors still have a long way before the DOD makes it compulsory by 2026. But it won’t be long before the Department of Defense further stiffen the restrictions on contractors with the right certifications.