CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
New Requirements For Department of Defense Contractors
WHAT IS CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification” and it is the latest framework for government contractors who have contracts with the Department of Defense (DoD).
The framework was designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by specifying a comprehensive set of maturity practices and processes to be applied within unclassified networks.
Most importantly, CMMC will be a requirement for DoD contractors moving forward and contractors who are awarded a DoD contract must pass the assessment by complying with the CMMC standards and showing a “Culture of Compliance”.
Failure to comply with the CMMC framework and a subsequent failure of a CMMC assessment is grounds for termination of the contract and any awarded funds.
IT MINDSHARE & CMMC
Besides being known as “The Good Nerds” and being easy to do business with (something that is rare in the IT Services world), IT Mindshare is a Managed Service Provider (MSP) with a strong background in cybersecurity.
We have experience with cybersecurity and technology audits as well as what it takes to remediate the environment and implement the required controls to keep our clients safe.
CMMC is a formal way of outlining controls that we have been implementing for almost a decade which means that while CMMC itself is new, the type of work required isn’t new to IT Mindshare.
We are a Registered Provider Organization (RPO) with the CMMC-AB (CMMC Accreditation Body) and at this time, we are the only RPO in the state of West Virginia. The RPO designation means that we are accredited to provide CMMC advice, consulting, and recommendations to Organizations Seeking Certification (OSC) in the Defense Industrial Base (DIB).
End-to-End CMMC consulting services that utilizes our proven process combined with the top CMMC tools to walk clients through the entire process.
Client maximums size: 250 endpoints
We provide RP consulting for large RPOs and large clients (typically over 250 endpoints).
- On-site or remote RP consulting
- Gap Analysis consulting
- Policy consulting
- Remediation consulting
FREQUENTLY ASKED QUESTIONS
What Are The Different CMMC Levels?
There are 5 maturity levels of CMMC; however, most organizations will only need to be concerned with Level 1 or Level 3:
- Level 1: Safeguard Federal Contract Information (FCI)
- Level 2: Transition step in cybersecurity maturity progression to protect CUI
- Level 3: Protect Controlled Unclassified Information
- Levels 4-5: Protect CUI and reduce the risk of Advanced Persistent Threats (APTs)
How Do I Know if I Need to be CMMC Compliant?
If you have a contract with the DoD or plan to bid on and win a contract with the DoD then you will require some level of CMMC compliance.
What Are the “Gotchas” of CMMC?
First and most importantly is the “Culture of Compliance.” Unlike frameworks and audits of the past, CMMC will be looking for long-term compliance, not just something that was complied with right before an audit.
Second is the scope which will determine what level of CMMC you need to comply with as well as what part of your environment will need to be certified.
Third is the fact that there aren’t enough RPOs and C3PAOs (CMMC Third Party Assessor Organization) to go around. So, expect a long waiting list.
What is Culture of Compliance?
Culture of Compliance is a somewhat vague term but it is repeated often throughout the CMMC ecosystem. In short, this means that CMMC assessors will be looking to see if the measures taken and the controls implemented are ingrained into the culture of the company or is the company just “checking the box”.
Box checking will likely be punished harshly under CMMC.
How Hard Is It?
This depends completely on the scope of the CMMC requirements and the current condition of the company and the company’s environment.
For CMMC Level 1 requirements, contractors must demonstrate basic cyber hygiene as outlined by Federal Acquisition Regulation (FAR) 52.204-21.
For higher CMMC maturity levels and/or companies that have Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 in their contracts, they will find this process much more involved.
What is the DFARS Interim Rule?
Full implementation of CMMC requirements into DoD contracts is expected to take five years. An Interim Rule went into effect beginning on November 30, 2020 that applies to all new and renewing contracts. This directive is expected to remain in place until a specific CMMC level is referenced in your contract. The following are three critical components of the Interim Rule:
● Scored Self-Assessments
● System Security Plans (SSP)
● Plan of Action and Milestones (POA&M)
The self-assessment score must be uploaded to a governmental Supplier Performance Risk System (SPRS) database within 30 days of completing the assessment.
How Do I Get Started?
There are two things you’ll want to do:
- Number one, contact us so we can help you begin the first phase of the process. A CMMC gap analysis will help your organization determine its current state of compliance. A thorough gap analysis is a critical step in understanding the level of remediation required prior to scheduling a formal assessment with a CMMC Third-Party Assessment Organization (C3PAO).
- Number two, you want to contact your Contracting Officer (CO) or DoD point of contact to help determine the scope of your CMMC compliance.
How Long Does It Take?
The timeframe largely depends on the availability of RPOs, the current status of your environment and the scope under which you will need to certify.
- For CMMC Level 1, a rough estimate is from several weeks to a month.
- For CMMC Level 3, it is expected to be several months.
How Much Does It Cost?
For CMMC Level 1 companies that are in good standing with FAR 52.204-21, the range is $10,000-$40,000. This estimate does include the remediation work but does not include any hardware or software. This estimate does not include the assessment from a C3PAO. This is merely an estimate for planning purposes and not a contract or quote.
For CMMC Level 3 companies that are in good standing with NIST SP 800-171, the range will include CMMC Level 1 and 2 plus additional controls and policies. The estimated cost range is $25,000-$100,000+. This estimate does not include the assessment from a C3PAO. This is merely an estimate for planning purposes and not a contract or quote.
Can I Just Do This Myself?
There are certainly some aspects of CMMC that you can do on your own. We work with our clients and help point out ways that they can save money if they have the time.
We can provide a DIY checklist and oversee your work to help reduce the overall cost of CMMC.
However, it is still recommended to use a CMMC-AB RPO/RP for the analysis/remediation.
Lastly, the actual assessment is pass/fail and must be conducted by a C3PAO certified by the CMMC-AB.