With More Factories than Ever Required to Submit their CMMC Certification, the New Workload It Requires Can Seem Overwhelming. Integris is here to help you sort it all out.
If you’ve been reading the headlines lately, it’s no mystery why the United States government considers corporate cybersecurity a national security issue. Cyber attacks are often state sponsored, highly sophisticated, and aimed at our national infrastructure and institutions, like our electric grids, or city, state or national agencies. To combat the growing threat, President Biden has issued an executive order requiring the Department of Defense to verify the safe cybersecurity practices of all their vendors by 2025. And the process they’re using to do that is a rigorous certification known as the Cybersecurity Maturity Model Certification (CMMC). If you work with the Department of Defense in any way, you’ll need to have some level of CMMC compliance, or risk losing your contract.
When your company has invested in CMMC compliance, you’ve certified that you have safe cybersecurity practices, and can manage Controlled Unclassified Information (CUIs) across the entire DoD supply chain. It really is that simple.
So, what kinds of companies need to worry about CMMC compliance? The answer is not as simple as “any defense contractor.” Let’s break it down.
CMMC Compliance: What Is It, And Who’s Governed By It?
First, let’s talk about the conditions leading to the development of CMMC. Government contractors have always had to follow some kind of guidance about cybersecurity. Only, up to now, that guidance lacked much in the way of enforcement teeth. Contractors were asked to follow the National Institute of Standards and Technology’s 800-171 guide , which in essence, asked contractors to “self attest” that they were following the guidelines.
The threat of cyber spying and cyber crime has gotten so great, however, that the government can no longer simply “take their word for it.” Enter CMMC. This certification is a now a requirement for any firm wishing to do business with the government. The CMMC certification is tiered, based on the level of sensitive data a contractor will handle. The government jobs going up for bid will specify which level of certification you need.
So, when will CMMC be required? The government has requested that DoD vendors and consultants start applying as of 2020. However, companies will have until 2025 to comply. That extra buffer time is necessary, because the bar is set high to reach compliance. Here’s how the tiered levels look for consulting companies.
How Many Levels of Certification Are There?
In November 2021, the DoD completed a review of the CMMC process that was prompted by complaints from vendors about its complexity. As a result, they came out with CMMC 2.0, a program which streamlined the process from five security levels, to three, as is shown in the the DoD’s chart below.
Where your organization falls on this chart will depend on what services/products you provide for the Department of Defense, and the sensitivity level of the data you handle. Each level builds on the next, so that those in level three will have to have all the safeguards of the first two levels, as well as a whole new set of rigorous data handling standards.
The bids you make will already have their own predetermined levels. So be sure to contact your government clients for details on what’s expected of your bids.
Does all this sound complicated? It is, actually. Getting a CMMC certification usually takes months to complete, and requires the help of an MSP like Integris, or specialized consultants who can help you get the proper training and assemble the proper documentation to apply. Also keep in mind, it’s not just a matter of filling out forms. You must demonstrate that your systems are configured properly with the right kinds of safeguards. So, keep in mind capital investments may be necessary, and new systems might need to be put in place before you can apply for your certification.
What does CMMC Compliance Cover?
CMMC Compliance can be expensive—requiring upgrades and new processes that could cost your company as much as $3,000 per employee per year, according to AT&T’s latest estimates. Initial set up fees could cost as much as $500 to $1000 per employee.
Why is it so pricey? Because the certification touches nearly every part of your IT operation and physical plant security. To earn your certification in CMMC compliance, your company must meet the requirements for 43 different capabilities spanning 17 different domains, including:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Recovery
- Risk Management
- Security Assessment
- Situational Awareness
- System Communications and Protections
- System and Information Integrity
If this seems like an insurmountable hill to climb, take heart. There is plenty of great contract help that specializes in CMMC requirements for small business.
Where to Go for Help
Before you can begin the certification process, you’ll need to articulate all the parts of your current cybersecurity plan, so it can be reviewed. Then, you’ll need a CMMC preparedness consultant, or an MSP like Iconic that understands CMMC compliance requirements, and can revise your cybersecurity plan to achieve true CMMC compliance. That consultant can work with your internal staff to do a comprehensive review and risk assessment, to determine where your deficiencies are. They’ll help you identify which cybersecurity products, platforms and services you’ll need before the CMMC compliance deadline.
Would you like to do a little homework and see if your cybersecurity is up to the test? Try our free DIY Cybersecurity Assessment Checklist, to see where the holes in your cybersecurity operation are. And if you’re in one of our service areas, contact us. We’d love to help you get started on the road to CMMC compliance!