Planning Your CMMC Journey for DoD Contractors

(CYBERSECURITY MATURITY MODEL CERTIFICATION)

What is the CMMC?

The CMMC is part of a government led effort to help protect the United States Defense Industrial Base and supply chain from cyber threats, this includes both foreign and domestic, and enhance the overall security posture of the sector. Achieving CMMC Certification is a journey, not a destination. CMMC Certification is a point in time, not an end point. Once you achieve your CMMC certification you must continue the process to maintain it.

What are the CMMC Levels?

The CMMC model measures cybersecurity maturity using five levels. Each of these levels, in turn, consists of a set of processes and practices. The processes range from 'Performed' at level 1 to 'Optimizing' at Level 5 and the practices range from 'Basic Cyber Hygiene' at Level 1 to 'Advanced/Progressive' at Level 5.

Level 1 – “Basic Cyber Hygiene” – The DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
Level 2 – “Intermediate Cyber Hygiene” – The DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
Level 3 – “Good Cyber Hygiene” – The DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 13 new “Other” controls.
Level 4 – “Proactive” – The DoD contractor will need to implement 11 controls of NIST 800-171 RevB plus 15 new “Other” controls
Level 5 – “Advanced / Progressive” – The DoD contractor will need to implement the final 4 controls in NIST 800-171 RevB. plus 11 new “Other” controls

Schedule your CMMC Consultation

Why does CMMC matter?

The theft of intellectual property and sensitive information from all industrial secrets due to malicious cyber activity threatens economic security and national security. Malicious cyber actors have targeted, and continue to target the Devense Industrial Base secret and the supply chain of the Department of Defense. The DIB sector consists of over 300,000 companies that support the warfighter and contribute towards the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services.

What Should DoD Contractors Do to Prepare for a CMMC Audit?

Different CMMC levels will require contractors to comply with different security controls, as outlined earlier in this guide. Contractors who already have full NIST SP 800-171 controls shouldn’t experience any problems achieving at least a level 3 CMMC certification.
However, if this has yet to be achieved, there are a number of options for contractors as they prepare for a 2020 - 2021 CMMC audit.

Outsourcing to a CMMC Registered Practitioner (RP)

For all but the largest of contractors, the appropriate course of action is to invest in outsourcing the process of getting CMMC certification to a qualified third party. In particular, outsourcing to a Managed Service Provider (MSP) with the Registered Provider Organization status will enable contractors to get the expertise required.

However, the responsibility ultimately remains with the contractor to meet the necessary cybersecurity standards. This is why contractors should think long and hard about which MSP/RPO they decide to hire.

Although it may be tempting to do everything in-house, outsourcing the process to a qualified MSP/RPO will likely save you both time and money.

Not only will they be able to pinpoint areas of weakness, but they will be aware of what auditors will be looking at. It’s the best way to prepare for an upcoming CMMC audit.

Implement NIST SP 800-171 Yourself

For contractors who possess the staff and resources, they may want to consider doing everything in-house.

Contractors can take advantage of the guidance presented in the Self Assessment Handbook – NIST Handbook 162. It’s a workbook compiled by the National Institute of Standards and Technology (NIST) to help DoD contractors.

Be aware that this workbook only includes information up to and including NIST SP 800-171 Rev. 1. It doesn’t include anything more than that, so contractors will only be able to get up to a CMMC Level 3 certification using this.

For NIST SP 800-171 Rev. B things are more complex as there’s no authorized workbook available.

If a contractor doesn’t have the knowledge or the resources available to implement these cybersecurity controls alone, they should consider outsourcing these tasks to a CMMC Registered Provider Organization with Registered Practitioners to do the heavy lifting.

These companies may even be able to provide a non certified audit themselves, as well as supporting contractors in tightening up any areas of weakness.