By now, you are familiar with the term CMMC—the DoD’s Cybersecurity Maturity Model Certification requirements as part of the Pentagon’s mandate to protect the industrial base networks and controlled unclassified information from cyber-attacks. What you may not know is where your company falls in the process. And you might be worried about the costs involved. Navigating and achieving compliance can be a daunting task, even for the security savvy. Let’s see if we can get you started on the process.
Without the required level of certification for a particular solicitation, a company will be deemed non-compliant and ineligible for an award.
CMMC defines five cybersecurity maturity levels, ranging from basic cyber hygiene (ML-1) to advanced cybersecurity practices (ML-5). Each level outlines the capabilities, processes and practices to reduce the risk of a security threat breaching a company’s cybersecurity defenses.
You can establish which level you will be expected to comply with by considering:
Join us Mar. 26 and 27 at 1 p.m. EST for Federal News Network's DoD Cloud Exchange where we'll be hosting leaders from across Defense along with industry tech experts to get in the weeds on the latest policy initiatives, real-world implementations and latest technology developments. | Register today!
The majority of companies will require ML-1 initially, with ML-2 as an intermediate step for contracts/programs that will require a higher level of CMMC maturity. Maturity levels 3, 4 or 5 are for companies handling controlled unclassified information (CUI), at least right now.
Small- and medium-sized businesses, and those without cybersecurity expertise on staff, may need outside subject matter experts to determine how they stack up to required practices. A third-party review can be performed by a registered practitioner organization (RPO). RPOs have been trained on CMMC methodologies and processes and adhere to the RPO Code of Ethics. The process will identify gaps, remediate any practices that need help, and generate reports that will be used during your official CMMC assessment.
The RPO you select should provide an explanation of your gaps and the proposed solutions in terms you can understand, as well as a clear scope of work, estimated costs and a schedule for the work. There are several paths to fixing some of the more common control issues, so it’s up to your RPO to present options and make a case for their recommendations.
A side note about the cloud and remediation
A common security fix for many companies is to move controlled unclassified data and processes to a secure cloud environment. At first, Microsoft was suggesting the only cloud environment that would be compliant for CUI/ML-3 in the CMMC model would be the Government Community Cloud High, aka GCC High. This is an expensive option for small businesses that may far exceed most needs.
As controls and policies have been refined in the last year, more-affordable cloud solutions are being considered for storing most data, and the industry may only need GCC High for specified controlled unclassified information that has specific restrictions for data sovereignty and staffing of U.S. persons.
Now is a good time to talk about the cost of CMMC. We know that some of the costs associated with the CMMC process will be allowable but that’s little comfort to small businesses who need to outlay the funds now to bring their systems up to par and get their certification. This is where you’ve got to look past today and consider your company’s future.
The controls for CMMC ML-1 are good practices that we all know we should have been doing by now. Remediation isn’t free but it is an investment in your business that can drive efficiency, improve the employee experience, and ensure that you will be eligible to bid on and be awarded contracts.
You can keep an eye on those remediation costs by choosing a company that explains costs and controls thoroughly so unnecessary “extras” aren’t padding your final bill.
CMMC assessments are scheduled to start this fall. If your systems and policies are all in place and you have contract awards coming up in the next 12 months or hope to go after new business/partnerships/subcontracts soon, you should register for an assessment as soon as it’s possible. It may be possible to register for a Provisional Assessment now if your company is pursuing one of the CMMC Pilot Contracts. If your contract isn’t renewing for more than a year, it’s OK to wait on the actual certification process, and give your policies time to mature.
When you’re ready, here’s how things will go:
CMMC represents a giant leap forward for the contractor industry, but the entire process can take up to six months to complete. It’s important to get started now and not miss critical business opportunities.
Edward Tuorinsky, managing principal of DTS, a government and commercial consultant business, is a Service-Disabled Veteran with nearly two decades of experience in management consulting and information technology services. Derek Kernus, Director of Cyber Security Operations at DTS, holds CISSP and CCSP certifications and has a strong background in IT and government compliance
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.