If your company does business with the DOD, it is an absolute must that you get your company ready to pass the Cybersecurity Maturity Model Certification (CMMC).
Here is a list of what to do:
- Understand CMMC
- Get Ready Early
- Consult Professionals
- Get Ready For Change
- Obtain and Sustain
Now, let’s get started and talk about this step by step. If you have any questions as you go through the article, feel free to contact our team for feedback or help.
What is CMMC?
CMMC is a cyber security certification that is currently being put in place by the Department of Defense for all Federal contractors, this includes primes and all sub contractors. The framework for the certification is being developed by Carnegie Mellon University and Johns Hopkins University.
There are five levels (L1 – L5) of certification in CMMC. The first three levels (L1 – L3) track closely with existing Controlled Unclassified Information (CUI) requirements. The final two levels (L4 – L5) add further requirements to allow for dealing with higher levels of clearance information.
Self-certifications will not be allowed, so certifications must come from an approved provider. Primes not certified will not be able to win contracts via RFP’s. Subs not certified will not be able to work on the contracts.
Here ( CMMC – CyberSecurity Maturity Model Certification ) is the current draft of what the final document will look like starting in 2020. The framework is a variation of NIST 800-171. An updated version of 171 is currently in the works.
The CMMC consist of 18 domains:
- Access Control
- Asset Management
- Audit And Accountability
- Awareness And Training
- Configuration Management
- Cybersecurity Governance
- Identification And Authorization
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System And Communications Protection
- System And Info Integrity
Get Ready For CMMC
If you wait till the Summer of 2020 to get started with CMMC, you are putting your entire company at risk for contracting opportunities.
Large companies are getting a jump on this, as you would expect. Think about the headache that is coming down the road when you consider that a prime must have all of their subs certified via CMMC. Being proactive will allow you to achieve your desired maturity level on your first try.
Don’t make the mistake of thinking you can do this on your own, or that Paul from IT can cover this because he knows how to fix the company printer. The Feds are putting some serious regulations in place.
Like any good diet, the best time to get started is now.
Consult With Professionals
Companies that have been performing large scale cyber assessments in the commercial world are a great resource for the new CMMC requirements, especially if they based their previous assessment work on NIST 800-171.
Bring in the professionals ( Secure Merger ) and let us help your company get up to speed. If you already have a company that you trust, by all means, use them. If you don’t pass the CMMC certification after using them, then call us. We are here to help.
Getting ready for CMMC might take a while, especially if your cyber security program is immature. Some of this also depends on what level you need to come it at on the CMMC scale (L1 – L5).
Get Ready For Change
The entire point of the CMMC being implemented is to change the way companies guard their information, how they go about their usual work day. So, your company and your employees will need to be ready for change. Change can be difficult sometimes, but there is no better motivator than your entire company being at stake.
Obtain and Sustain
Once your company reaches the necessary level of cyber security maturity required by CMMC, you will have to sustain these newly implemented changes moving forward.
Sustaining the change is often difficult. If the government goes about this like everything they have approached in the past, once CMMC is implemented, the follow-on regulations will roll out over time to remain compliant.
If you implement the changes from the start, you will have no trouble sustaining a great cyber security maturity level moving forward.