In November 2020, the US Department of Defense (DoD) rolled out a new certification standard for contractors known as Cybersecurity Maturity Model Certification (CMMC). The goal of this certification is to tighten cybersecurity protocols and lower vulnerabilities to possible cyberattacks.
In the past, various regulations have included cybersecurity components. However, the CMMC was specifically developed to address digital security concerns. This is a major rule change for industries and businesses working with the DoD and other government agencies— one that could potentially change the way they approach their cybersecurity tools and processes.
This article listed some of the key points you should know as the CMMC certification standards start to take effect.
CMMC Is For All DoD Contractors With A Gradual Rollout
Most businesses wonder if they actually need CMMC, and if so, when. Well, there are several parts to answer this. Generally, the DoD doesn’t include CMMC requirements in current contracts.
By the end of 2021, however, at least 15 contracts should contain CMMC requirements. This number is expected to rise exponentially every year. And by 2025, the DoD expects that almost 480 contracts should have CMMC clauses, and over 45,000 are certified contractors.
With that said, if you’re a DoD contractor or subcontractor working on a DoD project, then you should expect CMMC requirements to apply to your company sooner.
There’s A Varying Cost For Certification
With any certification, there is no “one size fits all” cost for CMMC certification. The cost of obtaining a CMMC certification can be quite high, based on specific scenarios.
In general, the cost to individual businesses for meeting the CMMC requirements can vary depending on:
- The size of the business
- The level of security in place
- The complexity of internal systems
- The CMMC level the business is trying to certify for
If you want to know more about the cost of CMMC certification, you can check it over at this website.
There Are 5 Levels Of CMMC
CMMC has 5 tiered levels and the level of certification your business needs will depend on the kind of contacts you intend to bid.
Level one certification follows the most basic cyber security best practices and what should every government contractor be doing already. It has the same requirement as the existing FAR 52.204-21 requirements including maintaining anti-virus software, following strong password protocols, and running regular software updates.
A level two certification requires compliance with intermediate cybersecurity standards. It’s like a transitionary stage for level three and is a must for any business working with controlled unclassified information (CUI).
For businesses storing or processing CUI, possessing government data, holding Federal Contract Information or export-controlled data, a level three CMMC compliance is a must. A level three CMMC is what most government contractors should aim for.
Like level two, level four is a transitionary stage for level five. Requirements for this CMMC level can be pretty challenging, requiring you to take measures not only to protect yourself against run-of-the-mill cyberattacks but also the advanced persistent threats including terrorist organizations and rogue nation-states.
As the highest CMMC certification level, businesses at this level should have a fully optimized process in place as well as cutting-edge cybersecurity tools to prevent the most sophisticated hacking methods.
You Need To Obtain Certification With A Designated Assessor
For businesses who want to work with DoD contracts, you’ll be responsible for complying with CMMC requirements and obtaining certification. This means that you have to contact a C3PAO and hire them to review your security practices to ensure that you meet the desired certification level.
In addition, subcontractors also need to meet CMMC requirements before working with primary contractors. However, subcontractors don’t need to have the same level of certification as the primary contractors if they don’t handle as much data as the primary contractors.
This allows CMMC rollout to be as smooth as possible for businesses, particularly for small businesses.
CMMC Requirements Are Closely Similar To NIST 800-171
Before CMMC, there was the NIST 800-171. This is a cybersecurity standard outlining several aspects of business security. It was implemented as a self-assessment; however, it was found out that most organizations don’t actually follow or enforce these regulations.
CMMC is based on NIST 800-171, so it shares numerous requirements. However, CMMC does have some additional measures and is expected to be more strictly enforced with 3rd party audits, assessments, and certifications.
The DoD relies heavily on contractors in order to accomplish its objectives. However, they also consider cybersecurity as a critical part of national security. And contractors who wish to serve and work with the DoD should start prioritizing CMMC certification, showing just how much they prioritize cybersecurity, giving them a competitive edge.