By now every DoD contractor should have at least passing familiarity with the new Cybersecurity Maturity Model Certification (CMMC).
In an effort to mitigate breaches, shore up the supply chain, and safeguard sensitive CUI, starting in January 2021 every contractor will be required to be CMMC certified by an independent third-party auditor. Those that aren’t will not be able to do business with the DoD.
But while many contractors have some knowledge of CMMC, the slow trickle of information has led to several misconceptions, many of which could prevent contractors from taking action to achieve CMMC certification.
Like all myths, these seven about CMMC contain at least a kernel of truth. And that’s precisely why they could lull you into complacency and put your contracts in jeopardy.
Since CMMC is built upon NIST 800-171, there’s a misconception that the two are the same, or that CMMC is simply NIST with a new name.
However, there are significant differences. While NIST 800-171 measures your ability to satisfy a set of standard controls, CMMC maps your cybersecurity processes and practices to one of five maturity levels.
What is true is that being NIST compliant satisfies the requirements outlined for Levels 1 and 2 of CMMC. Achieving Level 3 requires another 21 controls, and Levels 4 and 5 demand even more work.
But while being NIST compliant goes a long way to getting you CMMC certified, there’s an additional requirement not addressed by NIST: an audit. You can only get CMMC certified through a third-party audit. Any contractor that’s NIST 800-171 compliant will need a CMMC audit, even for Levels 1 and 2.
If you have an experienced IT team that also has the time to take on the certification, it’s entirely possible to handle CMMC in-house. However, it will also require your IT team to work closely with your Field Security Officer (FSO) and human resources to ensure all of the CMMC processes and practices are addressed.
So yes, with the right team, it can be handled internally. But expect some roadblocks and delays along the way, as well as more than a few headaches. That’s especially true given that CMMC is new and only a handful of compliance specialists, never mind your IT team, have the type of expertise needed to seamlessly guide certification.
In most cases, though, DoD contractors don’t have the internal resources or expertise to handle CMMC in a way that ensures you pass the audit so you don’t lose out on contracts and revenue.
To accelerate your CMMC certification with fewest headaches possible while allowing your internal team to focus on its daily duties, partner with a consultant that has CMMC expertise. Not only will the right partner save you time, but they’ll get you on the fast track to passing your audit and getting you on the short list to land a contract.
Let’s not sugarcoat it: To a certain degree, the DoD has purposely made CMMC a challenge. And for good reason – ultimately, the goal is to safeguard the defense supply chain and protect sensitive information from cyberattack. Setting the bar high allows the DoD to ensure security hygiene.
To that end, CMMC will require significant time, planning, and resources, and will necessitate a significant commitment from key stakeholders across your organization – from senior leadership and your internal IT team to your Field Security Officer (FSO) and even human resources. That’s especially true if you opt to tackle CMMC yourself.
However, if you partner with an MSSP or a CMMC consultant with specialized expertise, the process will go a lot smoother. A consultant should come to the table with a plan to engage the appropriate stakeholders and streamline the certification process, accelerating certification while freeing up your internal team and resources.
Depending on who you partner with, and how willing you are to work with them, you could be CMMC certified within 90 days.
Contractors that have been through the rollout of previous compliance initiatives are likely skeptical that this one will be any different than the others, many of which had little bearing on their ability to do business.
That includes NIST 800-171, which required mandatory compliance for all DoD contractors, and not only stated that RFP submission constituted verification of compliance but that noncompliance could result in loss of contract.
Yet for all of its hardline language, NIST had no teeth. It allowed contractors to self-verify that they met, or were in the process of meeting, the required controls.
CMMC is different. All DoD contractors will need to be CMMC certified at the level specified in the RFP. Those that aren’t will automatically be disqualified from being awarded the job.
Even more important, you will not be able to self-verify. Certification will be done through an audit conducted by a third-party assessor and overseen by the CMMC-AB, a nonprofit organization.
Any contractor that lacks the appropriate certification will surely feel the impact of losing the recurring revenue generated by a five-year DoD contract.
While it’s true that CMMC certification will require an investment, the revenue gained through ongoing DoD contracts more than makes up for the cost. What you can’t afford is the loss of business that noncompliance would incur.
Furthermore, the DoD has assured contractors that certification for Levels 1-3 will be affordable. The contracts housed within those maturity levels account for many of the small and medium-sized businesses working with the DoD.
While achieving Level 4 and 5 certification may be more expensive, these levels cover larger contracts, typically handled by larger organizations for which the cost is not prohibitive.
Lastly, CMMC preparation will be considered an allowable, reimbursable cost, which means it’s an expense that can be specified within the contract and billed to the DoD.
Because CMMC, and even NIST 800-171 for that matter, focus on cybersecurity, there’s an assumption you only need a technology solution to achieve compliance.
However, statistics show that human behavior is as much to blame for breaches as technology. As a result, CMMC requires contractors to address processes and practices related to physical protection, personnel security, and awareness and training.
Be wary of any “expert” that offers a 100% software-based solution. Technology should be part of the package to help you more easily meet the IT standards, but your partner should also offer guidance on how to adopt best practices across your team and your physical footprint.
This myth is actually true, but it’s also misleading.
You will not have to be certified at the time of the RFP, just at the time the contract is awarded. If a contractor that submits an RFP is not CMMC certified when the contract is awarded, they will not be eligible to do the work.
Depending on the amount of time between the RFP and the contract being awarded, you could have a few months or up to a year to pursue and satisfy the CMMC requirement. However, not knowing how much (or little) time you have could put your company in a bad spot.
Waiting until the last minute could force you to rush through the process and fail the audit. With a number of companies all trying to get certified early on, there’s also the possibility that there could be a backlog of audits and you have to wait. In that case, your window could quickly close and you’ll be automatically disqualified from winning the contract.
To ensure you are CMMC certified when you need it, your best bet is to act early and engage with an experienced consultant that can guide you through the process.
With its mandatory audit and multiple certification levels, CMMC signals a shift from NIST and previous compliance requirements. The DoD is serious about stemming the tide of recent breaches and safeguarding sensitive information before it falls into the wrong hands.
Contractors that wish to continue doing business with the DoD will need to be equally serious about CMMC.
Until it’s fully implemented, more myths about CMMC will continue to arise. Rather than attempting to separate fact from fiction, consult with a compliance specialist that can tell you with certainty what’s required and guide you through the process.
If you would like to learn more about Cybersecurity Maturity Model Certification, be sure to check out our guide. It includes everything you need to know about CMMC in order to get ahead and stay ahead of your competition.