What is CMMC?
WHAT IS CMMC AND HOW DOES IT AFFECT ME?
The days of NIST 800-171 self-attestation are gone. CMMC requires an independent third-party audit and certification.
As Ms. Katie Arrington explains, the United States is losing $600 Billion a year in exfiltrations, data losses, and R&D losses to our adversaries. Something had to change and that something was the creation of CMMC.
The DoD considers SECURITY to be the foundation of all acquisition practices. Cost, performance, and schedule will only operate with a defense-in-depth foundation. The DoD realized they required an agile and universal method for taking this idea and putting it into practice. Cybersecurity is necessary for everyone doing business with the DoD, but this does not mean that all members of the Defense Industrial Base (DIB) will need the same level of security. This is the beauty of the CMMC framework with its five levels of certification.
- DoD expects the final version, CMMC 1.0, to be released in January 2020.
- DoD expects CMMC level requirements to begin appearing in RFIs in June 2020.
- DoD expects CMMC level requirements to begin appearing in RFPs in September 2020.
Here are some more details about the DoD CMMC:
• The DoD vision for CMMC is that it be a unified cybersecurity standard for acquisitions to reduce exfiltration of CUI and Federal Contract Information (FCI).
• CMMC is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI.
• CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices.
• Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
• The required CMMC level (between 1 –5) for a specific contract will be contained in the RFP and will be a “go/no-go decision”.
• The CMMC effort builds upon existing regulations (i.e. FAR 52, DFARS 252.204-7012) which are based on trust (self-attestation), but adds a verification component via the third-party audit, certifying one’s cybersecurity standards and maturity.
• The goal is for CMMC to be cost-effective and affordable for small businesses to implement, especially at the lower CMMC levels.
• The intent is for certified independent third-party organizations to conduct audits and inform risk [CMMC Third Party Assessment Organizations (C3PAOs)].
• The DoD is currently working with industry partners to establish the Accreditation Body, which will be the main monitors and controllers of the CMMC framework and its implementation.
• The Accreditation Body will be in charge of training and monitoring the C3PAOs.
• The DoD is working with industry to create a tool for the C3PAOs to use in order to ensure uniformity across all certifications and certifiers.
• Certification will be a recurring requirement, but the exact timeline is still in flux.
• CMMC is not just about implementation, but about process maturity. DoD wants to see its industry partners grow and develop their security practices.
Check out the latest DoD Release here: Model v0.6
BMT can help you PREPARE for CMMC now and will be there for you during the transition. Please do not delay and risk your future contracts. Take the first step to compliance: Let our experts assess your current NIST implementation and fill any gaps that exist so you can be prepared when the CMMC auditor knocks on your door.