The Cybersecurity Maturity Model Certification (CMMC 2.0) program is a requirement put in place by the Department of Defense (DoD) to ensure that all contractors doing business with the DoD meet certain security protocols. Here’s what you need to know.
The request for enhanced security protocols shouldn’t come as a surprise to any DoD contractor.
The Defense Federal Acquisition Regulation Supplement (DFARS) compliance requirement for contractors, which went into effect on December 31, 2017, had built-in security improvements contractors were supposed to adhere to.
Unfortunately, the DoD determined that far too many contractors were not following the requirement.
CMMC was developed to further strengthen the security compliance requirement and to allow for proof of compliance that is tied to being qualified to bid on contracts.
What Kind of Data is Subject to the CMMC Requirements?
Depending on the type of work a contractor performs for the DoD, they can have access and maintain Controlled Unclassified Information (CUI), Federal Contract Information (FCI) and other crucial pieces of sensitive data that must be securely transmitted, stored and handled.
What Does CMMC Compliance Look Like?
The CMMC framework consists of cybersecurity best practices from multiple cybersecurity standards, frameworks and other references. The model measures cybersecurity maturity with three levels. Each level consists of a set of practices that are detailed below. The requirements are cumulative, so any certification level also includes the requirements for the previous tier(s).
Level 1: Foundational
Level 1 of CMMC 2.0 requires annual self-assessments by government contractors.
Level 2: Advanced
Level 2 of CMMC 2.0 is broken into two categories based on prioritization.
- Higher Priority Level 2 contracts will require certification by third-party assessment organizations.
- Lower Priority Level 2 contracts may only require government contractor self-assessments.
Level 3: Expert
Level 3 of CMMC 2.0 requires completion of the Level 2 C3PAO Assessment and the DIBCAC NIST SP 800-172 Assessment.
How Should My Organization Pursue CMMC Compliance?
The first step in determining if your business is on the right track is answering this question: “What level am I required to achieve for the contracts I wish to bid on?” Some primary contractors provide this level information to their sub-contractors, and others are on their own.
The next steps in determining where you are and what you need to do to become compliant are critical and must be done properly. There tends to be a misconception that becoming CMMC 2.0 compliant is all about security of your technical infrastructure. I assure you it is not, and much of CMMC 2.0 compliance is about policies, procedures, testing, etc. Missing any piece can cause a business to fail being compliant.
A critical part of the process is determining if you are going to try and do this in-house alone or hire assistance. One piece of advice is to look at what team within your organization can get this done effectively and efficiently—all the while keeping in mind that not all technical resources are proficient in all areas of securing an infrastructure and not all people stay up to date on the compliance rules.
Your goal throughout should be to become compliant in the most efficient and sustainable way possible so that your company can continue doing work with the DoD.
Where Should I Go for Help With CMMC Compliance?
There is no time to waste, and the quicker you start or verify your journey the better the benefit to your company.
Warren Averett Technology Group can assist your company on your journey to CMMC 2.0 compliance through detailed guidance, determining your readiness and providing a road map of how to get from where you are to where you need to be. For help in navigating this landscape, please contact us today.
This article was originally published on March 17, 2021 and most recently updated on July 19, 2022.