If you are one of the 221,000+ suppliers to the U.S. Department of Defense – whether big or small, whether prime or subcontractor, if you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you will need to address the Cybersecurity Maturity Model Certification (CMMC) to be awarded valuable DoD contracts or to work on them.
Keep in mind — the process will likely take most organizations nine to twelve months or more to become certified!
If you work on DOD contracts – whether as a Prime or subcontractor and you want to keep that kind of work moving forward, passing the new CMMC is crucial. If you don’t know how to get started, are stuck somewhere between, or aren’t 100% certain you’ll pass — Vestige has a 3-step CMMC preparation plan that is a perfect fit for you!
A proven formula providing accurate direction — going from assessment to secure with the following steps:
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
As part of DoD contracts, Primes and Subcontractors are subject to the flowdown rules contained in the Federal Acquisition Regulation (FAR) as well as the Defense Federal Acquisition Regulation Supplement (DFARS). In an effort to continue to improve cybersecurity and prevent the loss of intellectual property and other sensitive information, this government-led effort is being implemented to protect the U.S. Defense Supply Chain (DSC) from foreign and domestic cybersecurity threats, and reduce the overall security risk of the sector.
Since the adoption of DFARS 252.204-7012 in 2016, nearly 300,000 US DoD Contractors have been scrambling to understand and implement NIST SP 800-171 standards within their companies in order to be compliant with the regulation. Some have had the internal resources to become compliant themselves, while others have outsourced the task to vendors, such as Vestige, who help DoD suppliers comply with their cybersecurity mandates – and yet, others have ignored or failed to implement such requirements.
Due to this slow adoption rate of the DFARS 252.204-7012 regulation, the Department of Defense has released the Cybersecurity Maturity Model Certification (CMMC).
CMMC is designed to ensure appropriate levels of cybersecurity controls and the processes are adequate and in-place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 outlines three compliance maturity levels that range from Basic Cybersecurity Hygiene (Maturity Level 1) to Advanced Cybersecurity Practices (Maturity Level 3). When implemented, adherence to the CMMC will reduce the risk of hostile agents breaching a supplier’s cybersecurity defenses.
Unlike in the past (NIST 800-171) where a supplier was able to “self-assess” conformance with the standard, CMMC 2.0 requires that to be awarded prioritized contracts at Level 2 and all contracts at Level 3, the organization needs to undergo a thorough, evidence-based, external audit performed by a Certified Third Party Assessor Organization (C3PAO), (Level 2), or from DIBCAC (Level 3).
For those organizations that can self-assess, a senior officer of the company will need to attest that the controls are in place and working as designed.
Compliance is required in order to be awarded a DoD contract. Depending on a supplier’s requirements and current state, the CMMC Accreditation Body (CMMC-AB) has advised that obtaining certification to the CMMC program will likely take a minimum of 6 months. Vestige’s experience with similar frameworks (and our deep knowledge on both NIST 800-171 and CMMC) would indicate that organizations may need a minimum of 12 months.
Frequently asked questions about CMMC and their answers:
Official U.S. Department of Defense (DoD) CMMC web page: https://dodcio.defense.gov/CMMC/
Contact Vestige today to discuss CMMC Compliance for your organization.