In order to protect the U.S. defense supply chain from foreign and domestic cyber threats, and reduce the overall security risk of the sector, the Department of Defense is mandating that all contractors that conduct business with the DoD have to be CMMC certified by a certain date. If you are planning to get the CMMC certification, here is some information to help you get started.
What is CMMC and why is it needed?
The Department of Defense released version 1.02 of the Cybersecurity Maturity Model Certification (CMMC) to ensure cybersecurity controls and processes would be put in place to protect controlled unclassified information (CUI) on DoD contractor systems.
CMMC requirements will flow down to all subcontractors from prime contractors. All future RFPs will require adherence to various levels of CMMC. Government Contractors will have to pass a CMMC audit so they can become certified and continue to offer their products and services to the DoD. The required CMMC level will be a pass/fail evaluation at the proposal stage for contract awards. In general, a CMMC certificate will be valid for 3 years. Contracts will not be awarded to organizations that do not meet the required level.
The CMMC Model has 5 Levels with a number of defined Practices and Processes in each Level that you have to comply with to get certified at that level.
What is the deadline?
Questions have emerged as to whether that deadline would still stand with the COVID-19 crisis. Yes, the deadline has changed several time already. So, for the latest info, please visit the Office of the Under Secretary of Defense for Acquisition & Sustainment FAQ page
This is based on recent updates and may change – Between June and September of 2020, the initial round of audits will begin for a select number of Department of Defense Programs/RFIs, with the required CMMC Levels identified. A CMMC 3rd Party Assessment Organization (C3PAO) will ask Defense Contractors to prove how they process, store and transmit Controlled Unclassified Information (CUI). Government Contractors will need to be certified to the required Level in order to receive and bid on the RFP.
The timing of Accreditation Audits is now projected to be Q4 2021 (Calendar) going forward, with RFI’s including CMMC references as early as June and RFPs including CMMC references by Q4.
What CMMC maturity level will you need to certify for?
The RFP/RFI will state what level the contractor must meet. If you manage Controlled Unclassified Information (CUI) in any way, you have to meet at least security level 3.
Not all government contractors deal with CUI. If you aren’t sure, ask your contracting officer or read the RFP. Examples of CUI are personally identifiable information, schematics of military equipment, sensitive information about schedules and personnel, and configuration documentation for government networks.
What effort is required to complete project tasks and evidence gathering?
There are three factors for estimating the cost and work involved with compliance.
- How complex is the network you are evaluating?
- Does your network already have secure configurations and security programs installed?
- What CMMC level are you trying to meet?
Here are some guidance – Is it possible to isolate your information to fewer systems, fewer networks, or fewer users, while still fulfilling the terms of your contract? You don’t need to secure ALL computer systems for the entire company. You just need to secure the systems that store data (Controlled Unclassified Information) about the contract. Make the job easier by reducing your footprint.
Pouring over controls and analyzing infrastructure is a tedious and time-consuming process. If you involve an experienced SME at your organization who knows your environment well, this process will take less time.
Get a leg up on your CMMC audit preparation!
Zartech’s solution and security advisors can guide you through the self-assessment process and help align your organization to the CMMC maturity level that you wish to certify for. You can leverage our tool, Cyberator to gather all required artifacts and complete the project tasks. Then schedule the CMMC auditor to conduct the certification. Assign the auditor a ‘view only’ access to the tool to review your self-assessment results with the artifacts/evidence and complete the verification. Cyberator drastically reduces the time and effort to prepare for a CMMC audit! Click here for additional details.
Note: Zartech is a RPO but not a CMMC assessor