The Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recently released information regarding plans to reform and standardize business practices to deliver relevant, affordable solutions as a goal for the organization. This decision resulted in the Department of Defense (DoD) responding with the development of the Cyber Security Maturity Model Certification (CMMC),which is designed to ensure appropriate levels of cyber security controls and processes are in place to protect controlled unclassified information (CUI) on DoD contractor systems. To continue doing business as a contractor, all prime and subcontractors on the supply chain within the DoD must be audited and certified under this new framework. This announcement has left many contractors supporting the DoD with several questions and concerns regarding current and future opportunities.
At Key Cyber Solutions (KCS) our mission as a security organization is to stay aware of changes in the industry and provide solutions and clarity to ensure that our clients and partners are prepared for any changes that may impact their business practices. After learning about the upcoming transition to universal security standards within the DoD, we have identified five (5) key factors to help all contractors understand and prepare for the CMMC.
5 Things all DoD Contractors need to know about Cyber Security and the CMMC
1. What is the CMMC?
The Cyber Security Maturity Model Certification (CMMC) is comprised of various cyber security standards and best practices including NIST 800-171, NIST 800-53, ISO 9000, CMMI and others. Using those practices, the requirements are mapped across several maturity levels ranging from basic cyber hygiene to advanced. For each level, the resulting associated controls and processes will provide universal standards for reducing risk against specific sets of cyber threats with documented processes for handling sensitive information stored on DoD systems.
2. What are the levels of CMMC and how is compliance demonstrated?
To meet a specific CMMC level, an organization must meet the practices and processes within that level as well as levels below and self-assessment will no longer be acceptable to demonstrate compliance with the new regulations. Companies now must demonstrate to assessors and certifiers that the appropriate capabilities and organizational maturity, controls and processes are in place to reduce the risk of specific cyber threats, to be awarded a CMMC certification.
3. Can my company bid DoD opportunities without CMMC certification as long as we meet the requirement before award?
CMMC will be a unified standard for cyber security. The required CMMC level will be determined at the acquisition level and used as a “go” no go decision. This however doesn’t mean that without the appropriate level of CMMC certification at the time of release your company will be ineligible to compete for award. Contractors will be required to meet the designated certification level at time of award. Prime contractors must also flow down the appropriate CMMC requirement to sub-contractors. Unless a higher level is specified, all contractors and subcontractors must meet at a minimum CMMC Level 1.
4. How much time do companies have prepare for CMMC certification?
The first draft of the CMMC was released in July 2019 and the final requirements are expected in early 2020. By June 2020, the CMMC requirements will be included in requests for information (RFIs), and in September 2020 in requests for proposals (RFPs). The latest information and updates about CMMC activity and changes to the certification requirements can be found on The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) CMMC website. This page is the official resource for updates, clarifications, recordings of previous industry information sessions as well as revisions of the CMMC draft.
5. What can companies do now to prepare for CMMC certification?
Get started! Although the final CMMC requirements are not finalized, your company can take several steps to ease the transition to CMMC. The tips below offer steps that can be taken now to ensure your company is on track and prepared for certification.
Determine a list of which compliance or regulatory frameworks may apply to your business.
Assess your ability to address compliance requirements and determine the expenses associated with meeting those controls.
Develop a compliance road-map that outlines specific steps to meet compliance requirements in a way which is sustainable to your company.
Still have questions or need assistance to ensure you are on the right track? Visit the KCS CMMC page and connect with us to learn how to be CMMC compliant before its launch. Our team is available to review your current information systems and deliver a customized road map to certification to ensure your organization is operating at basic hygiene and above standards.