BACKGROUND ON CMMC?
For years the DoD has required contractors to self-attest to NIST 800-171 to demonstrate a level of maturity within the organization’s cybersecurity controls program. This self-attestation has not been working. Contractors continue to be involved in cybersecurity breaches and sensitive information pertaining to DoD programs and intellectual property is lost.
The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity certification which is required by the US Department of Defense (DoD). Starting in 2021, the DoD will issue RFPs which contain a level of the CMMC required to be awarded a contract. By 2026, all DoD contracts will require a CMMC certification.
The CMMC includes requirements from NIST 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and other frameworks. CMMC certification is defined by five levels, each of which require more practices and controls than the previous with level one being the lowest and five being the highest level. The certification will be valid for a three-year period.
DOES MY ORGANIZATION NEED TO BECOME CMMC COMPLIANT?
Any organization and its subcontractors that bid on a DoD contract that contains Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will be required to be CMMC compliant. The level of compliance (1-5) will be dictated in the contract. Commercial off-the-shelf (COTS) products will not require CMMC compliance. If your company receives FCI and does not possess, process, or receive CUI under the contract, you will only need to obtain CMMC Level 1 certification. However, if your organization receives CUI under the contract, then CMMC Level 3 will be required as the minimum. Information produced by the CMMC Accreditation Body at this time indicates the vast majority of organizations will only need to obtain CMMC level 1 certifications.
WHAT IS THE TIMELINE?
Beginning in 2021, the DoD plans to slowly release RFPs with CMMC requirements. During the first year they anticipate 15 prime contracts being released which will have an estimated impact on 1,500 subcontractors of the primes. Each year they will ramp this up until all contracts require CMMC in 2026. In order to be awarded a contract or be a subcontractor on a contract requiring CMMC, you will need to have achieved your certification. This means now is the time to start preparing. Stinnett has noted during town hall meetings with the accreditation body and through training that practices and processes will need to be established for at least a year and be considered part of the culture of an organization prior to being considered for certification. Planning for CMMC will be critical to obtaining certification. Additionally, if your organization obtains CMMC early, you will have a clear competitive advantage in the DoD ecosystem.
The CMMC – AB has estimated the following schedule of CMMC roll-out:
TELL ME MORE ABOUT CMMC LEVELS
Like many maturity models used in cybersecurity, CMMC is divided into 5 levels. Each level is made up of Practices and Processes. Level 1 demonstrates 17 Practices are in place indicating you have basic cyber hygiene, and your Processes are Performed (not documented). Level 2 is an interim step to transition your organization and prepare for Level 3. Level 3 requires 130 Practices be established (Good cyber hygiene) and documented, managed Processes in three areas. Level 4 and 5 build on these to complete the framework of 171 total controls. (the control counts are as of this writing and are subject to change during rule making).
WHAT DOES CMMC COST?
The cost of becoming certified will depend on a number of factors. Current maturity with NIST 800-171 will move your organization a long way toward the goal; however, there are many changes and specifics which are unique to CMMC. The level (1-5) at which your organization must be certified also has a direct impact on the cost. Stinnett’s RPs will work with you to understand your requirements and detail a plan to success.
Once certified, there is a requirement to recertify every three years or if you need to increase your certification level.
WE ARE HERE TO HELP
Stinnett & Associates is a professional advisory firm which has worked with companies for more than 20 years to streamline processes and controls. Stinnett has engaged in cybersecurity services for companies as large as a Fortune 50 to small foundations. Stinnett joined the CMMC ecosystem in 2020 and has obtained the designation of a Registered Practicing Organization and our employees have received and will continue to receive professional training related to CMMC compliance. Stinnett can perform readiness assessments to help your organization prepare for CMMC designation. Services include assistance with control design and gap analysis. At this time, no organization can provide final Certified Assessments.
Depending on your organization’s current cybersecurity status and the CMMC Level required, implementation of the new standard can take from several weeks to a few months. Starting now will save you valuable time and will get you ahead of the competition.
We offer the following CMMC Services:
- CMMC GAP Analysis / CMMC Readiness Assessment
- CMMC Consulting Service / CMMC Implementation Help / CMMC Pre-Assessment
If you would like to discuss CMMC requirements with one of our Registered Practitioners, schedule a complimentary 15-30 min consultation by emailing us at firstname.lastname@example.org.