Last updated on November 7th, 2023 at 07:56 pm
If you perform contract work with the U.S. Department of Defense (DoD), you know you need to meet certain cybersecurity standards. As security threats change and increase, these standards change too.
Cybersecurity Maturity Model Certification (CMMC) is the new standard of compliance that should be on your radar. You may not need to be fully compliant until 2026, but contracts where CMMC compliance is preferred will start flowing this year.
Here are five things you need to know about CMMC as a contractor in the Defense Industrial Base (DIB).
1. What is Cybersecurity Maturity Model Certification (CMMC)?
CMMC, or the Cybersecurity Maturity Model Certification, is a cybersecurity compliance standard. It will soon be required for contractors working with DoD in order to protect the nation’s most sensitive data from adversaries.
The DIB and DoD are already, and will likely continue to be, major targets for cyber adversaries. Many adversaries are especially interested in information about our war machines and defense technologies.
The U.S. must strengthen its cybersecurity hygiene to keep these adversaries from learning sensitive information. That means strengthening cybersecurity not only for the government itself, but also for contractors who work with the government. The new CMMC compliance standard makes sure the companies developing sensitive technologies can also keep them out of the wrong hands.
The CMMC compliance standard evolved from the DFARS 252.204-7012 & NIST 800-171 standards. We’ll discuss some of the differences between CMMC and the older standards below.
2. The Differences Between NIST 800-171 and CMMC
You may be familiar with the old rules under NIST 800-171 standards. Under NIST 800-171, contractors are responsible for self-attesting their compliance.
Under CMMC, contractors must be assessed and certified by CMMC assessors. DoD contractors will be audited every 1-3 years, depending on the level of compliance they achieve. This practice ensures that each contractor takes cybersecurity seriously and lowers the risk of data loss.
CMMC has several other differences you should take note of:
- Contractors need to be certified before they are awarded new contracts.
- Both prime contractors and subcontractors must be CMMC Compliant.
- The project plan (POA&M) must be completed before the assessment.
- There are new penalties for providing fraudulent cybersecurity compliance information. For more information on this topic, look up the Civil Cyber-Fraud Initiative and the False Claims Act.
- CMMC is not an all-or-nothing standard. Contractors can select the level that is appropriate for them based on the type of work they perform for the DoD.
3. Which Cybersecurity Maturity Model Certification (CMMC) Standards You Need to Meet
There are 3 levels of CMMC standards:
- Level 1 (Foundational) only applies to companies that focus on protecting Federal Contract Information (FCI). This standard protects contractor information systems and limits access to only authorized users. Other companies will need to achieve a higher CMMC level.
- Level 2 (Advanced) applies to companies working with CUI. This standard applies to the majority of DIB contractors.
- Level 3 (Expert) applies to companies working on the DoD’s highest priority programs. It aims to reduce security risks from Advanced Persistent Threats (APTs).
Each level comes with its own set of required practices, processes, and controls. The majority of contractors will need to achieve CMMC level 2 standards. Only 10% or so will need to achieve CMMC level 3.
4. The Rules for Prime Contractors and Subcontractors
Prime contractors are responsible for ensuring that all subcontractors working under them are CMMC compliant. However, prime contractors are not responsible for paying for a subcontractor’s compliance journey.
If you are a prime contractor, you are encouraged to give direction on CMMC compliance to any subcontractors you work with.
5. When to Become Certified
All contractors in the DIB must become fully CMMC Compliant by 2026 to continue business with the DoD. However, it’s a good idea to become compliant sooner if you can. You will have a higher chance of getting contracts with the DoD this year if you already meet CMMC standards.
CMMC will be rolled out in a phased approach between 2023 through 2026. The number of new contracts requiring CMMC certification will grow each year until all contracts require CMMC Compliance in 2026. Contractors will need to meet CMMC Compliance standards if they want to win contracts.
The best time to start on the journey to compliance depends on the release of your preferred RFI/RFP and your business circumstances. You will still be able to bid on opportunities before you become CMMC compliant. However, you will not be awarded contracts until you meet the compliance requirement.
Need to Work Toward Cybersecurity Maturity Model Certification Compliance?
If your organization needs to achieve CMMC Level 2 compliance, Simple Helix can help. For the same money you already spend on MS 365, we can migrate you into the right MS 365 Government Cloud Community (GCC) environment to become CMMC compliant. From there, we can move you forward with managed workstations, firewalls, servers, and more.
We provide solutions for many CMMC Level 2 practices, augmented through our Managed IT Services. We can cover 54 practices out of the 110 total required for CMMC Level 2. Our partner, Gray Analytics, can cover the additional 56 practices required to reach Level 2 compliance.
Get in touch with us today about working toward CMMC compliance.