CMMC Explained: Important Details & Timeline

CMMC Explained

Understand what the Cybersecurity Maturity Model Certification (CMMC) is, why the Department of Defense is requiring it, and how to comply in order to maintain or obtain your DoD contracts.

YOUR TRUSTED ADVISOR

CHRISTOPHER GERG

CISO & Vice President of Cyber Risk Management

“We’re here to help you understand this new framework and get compliant but more importantly, to ensure that you proactively mitigate cybersecurity risks so that you don’t have a breach, like ransomware or intellectual property loss.”

With over 20 years of information security experience, Christopher has a deep understanding of how CMMC was developed, what it was derived from and most importantly, how to ensure your organization achieves the proper level of compliance.
He and our cyber risk management team are ready to guide you through the entire CMMC process.

What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the standard by which the Department of Defense will assess the cybersecurity of their contracted businesses. Depending on the nature of the product/service, certification may require only Basic Cybersecurity Hygiene (Level 1) all the way up to Advanced (Level 5). The level required will be specified in the RFP.

The cybersecurity of contractors will now be materially relevant to awarding DoD contracts. The development of this requirement is in direct relation to the DoD’s vested interest to defend the confidentiality, integrity, and availability of their contracted partners.

CMMC Level Requirements will be listed on DoD contract Requests for Information (RFIs) beginning in June 2020.

0Weeks0Days0Hours0Minutes0Seconds

CMMC Level Requirements will be listed on DoD contract Requests for Proposals (RFPs) beginning in October 2020.

0Weeks0Days0Hours0Minutes0Seconds

What Should I Know About CMMC?

There are a lot of questions and details to be addressed. As the rollout of the CMMC progresses, we’ll continue to update this page to keep you informed.

“This new framework defines what needs to be done in the DoD contracting world to ensure businesses fulfilling those contracts are demonstrating strong cybersecurity controls.”

How is a CMMC certification obtained?

Your company must contact a third-party assessor; after you identify the level required of your organization in the RFP, the assessor will determine whether or not you meet the requirements to be certified at that level. Self-certification is not an option. Your certification level will be public knowledge, but specific findings will not be publicly available.

How much will a CMMC certification cost?

The costs of the actual certification are going to be reimbursable under this program. However, costs to implement cybersecurity systems and processes in order to comply with the required certification level will be borne by the company.

When will the CMMC framework be available?

CMMC Version 1.0 is slated to be available in January 2020. CMMC requirements will begin to appear in Requests for Information in June 2020.

CMMC Levels Explained

Level 1

The CMMC Level 1 requires that organizations have basic cyber hygiene practices in place and are performing foundational cybersecurity processes.

Level 2

CMMC Level 2 is considered more intermediate and requires organizations to establish and document strategic plans, policies and standard operating procedures. The controls required in Level 2 enable organizations to address and combat more cyber threats than Level 1.

Level 3

CMMC Level 3 requires organizations to demonstrate good cyber hygiene practices and implementation to comply with NIST SP 800-171. Any defense contract involving Controlled Unclassified Information (CUI) will require a Level 3 certification. Level 3 organizations will be required to dedicate a manager to document and perform the recommended cybersecurity processes.

Level 4

CMMC Level 4 will require organizations to demonstrate a substantial and properly functioning cybersecurity program. Level 4 certification requires organizations to prove their overall cybersecurity activities are reviewed and managed to properly and quickly escalate matters if needed.

Level 5

The CMMC Level 5 certification indicates an advanced cybersecurity plan is in place. It also demonstrates the organization’s ability to make adjustments and optimizations in order to combat evolving threats.

“We know you don’t have a lot of time to study up on, prepare for and implement the necessary controls to meet these compliance requirements. Let’s get started now, together as a team, so you’ll be ready to meet the deadline this fall.”

What Should I Be Doing Right Now?

Take the First Step

Sit down with our experts to ask questions, learn more about the framework and understand how it will impact your business with our complimentary Executive Briefing. Under mutual NDA, we discuss the cybersecurity practices you currently have in place and what it will take to be one step closer to certification.

If you haven’t yet begun formalizing an information security program, now is the time. Since certification will be a determining factor in whether or not you can proceed with a DoD contract, you need to start preparing now for the eventual certification. It remains to be seen exactly what elements the DoD will stress over others, but establishing a program now will put you in a much stronger position later.

For more information, visit DoD’s FAQ page here: https://www.acq.osd.mil/cmmc/faq.html; the information on this page is drawn directly from this source.