Suppose you are a contractor with the Department of Defense (DoD). In that case, you may have noticed that in October 2020, the DoD released an Interim Final Rule with detailed information about Cybersecurity Maturity Model Certification (CMMC). But, with little information out there, you are stuck on what it is, how it works, and the penalties for non-compliance.
What is CMMC?
CMMC is an assessment model for implementing cybersecurity across the Defense Industrial Base (DIB), with over three hundred thousand companies in the supply chain. The DoD created the CMMC to respond to significant compromises of sensitive defense information in the Contractor’s Information Systems (CIS).
With the advancement of technology, cybersecurity threats have evolved, and systems used by the United States government have become a popular target. This is because of the critical nature and sensitivity of the information stored. As such, organizations have been forced to take necessary steps to protect their systems’ integrity and the data contained.
Although contractors remain responsible for implementing critical cybersecurity requirements, the CMMC changes this pattern by requiring third-party assessment of contractor’s compliance with certain mandatory procedures, practices, and capabilities that can adapt to new cyber threats from cyberbullies.
What Are the Penalties for Non-Compliance?
Although currently not a minimal requirement, all Defense Industrial Base (DIB) contractors must be CMMC certified by 2025. Historically, most cyber-crimes have been motivated by financial gains, but recently there has been a trend where terrorist groups have engaged in criminal activities to fund their activities.
To ensure adequate cybersecurity protection of CUI on the DIB, the DoD will only award contracts to CMMC compliant organizations. This means, without a CMMC certification, you will not do any business with the government.
Luckily, there are no fines or penalties for non-compliance. But, not being compliant puts your organization and your client’s data at risk. Research has shown that most companies go out of business after a cybersecurity breach within six months due to huge costs incurred on the incident report, legal fees, downtime of IT, and recovery operations.
The CMMC Framework
The CMMC framework applies to all companies with a DoD contract, which means that all DoD suppliers and contractors must meet all cybersecurity standards in the National Institute of Standards and Technology (NIST) SP 800-171 framework. This framework protects controlled unclassified information from foreign agents and hackers.
The CMMC framework features five certification levels that show the maturity and reliability of a company’s cybersecurity infrastructure in safeguarding sensitive government information on the CIS. The five levels are built upon each other’s technical requirements.
Level 1 – Basic Cyber Hygiene
This level concentrates on whether an organization is practicing basic cybersecurity hygiene. A company must perform basic cyber hygiene practices like ensuring employees change passwords frequently to protect Federal Contract Information (FCI) and using antivirus software.
Information contained in the FCI is generated by the government under a contract and should not be made available to the public. All contractors should meet level 1 practices as it sets the foundation for the other levels.
Level 2 – Intermediate Cyber Hygiene
The intermediate cyber hygiene level requires a company to use advanced security protocols to protect data from cyber-attacks. The contractor at this level must be capable of preventing advanced threats than a level one company. Level two certification requires documentation of security protocols implemented and maintained.
Level 3 – Good Cyber Hygiene
To attain level 3 certification, a company should have a standardized management plan implementing good cyber hygiene practices to safeguard CUI. The NIST SP 800-171 outlines all the required procedures.
A company with a level 3 certification shows that it can meet most threats and ensures information security. However, most level three organizations are unable to counter advanced persistent threats.
Level 4 – Proactive Cyber Hygiene
For a company to be granted level four certification, it must have implemented processes for measuring and reviewing the effectiveness of practices put in place to counter advanced persistent threats (APT). The contractor can effectively protect CUI by consistently upgrading its security tactics, techniques, and procedures (TTP) to counter APTs.
The company is required to review and document all security protocols for effectiveness. In case any issues are found, upper management should be informed immediately.
Level 5 – Advanced and Progressive Cyber Hygiene
This is the highest level of maturity. A certification at level five shows that the company can protect CUI and has a well-crafted cybersecurity program that changes to meet advanced threats. In addition, the security process should be standardized across all networks, including any third-party associates.
How Do You Become CMMC Certified?
For your company to be CMMC certified and achieve compliance, DIB companies must be audited and assessed by a certified third-party assessment organization (C3PAO) or an accredited individual assessor. Below are the steps you should consider before audit:
- Identify the maturity level you want to be certified for
- Find available C3PAO or accredited individual assessor
- Have a timeline of up to ninety days to resolve and fill gaps with C3PAO
Note, specific audit findings by C3PAO will be confidential and will only be made public when any level is achieved.
Key Steps in Attaining CMMC Certification
Below are the five key steps you need to attain CMMC certification as outlined by the Interim Rule:
- Self –Assessment — you need to know where you are in terms of FCI and CUI protection. Are you in line with the CMMC’s requirements?
- Pre-Audit Support — this requires the intervention of an expert third-party like Orion Networks. We will assess your current processes and determine whether you are vulnerable to attacks. We provide a detailed assessment with areas of concern you need to address before the audit.
- Remediation — from the assessment results, we shall address any potential risks and help transition your company to a full CMMC compliance state.
- Audit — after fulfilling the above steps, the last step is hiring a C3PAO. Please provide them with the self-assessment results and changes made.
That’s it! You are now CMMC compliant.
In Summary
Although there are no fines associated with CMMC non-compliance, getting CMMC certified places you in an advantageous position. With the establishment of CMMC certification as a minimal requirement for DoD contracts, most contractors are likely to drop out because of the time and money costs.
If you need help with CMMC certification and processes, contact Orion Networks. We have a deep understanding and experience working with complex systems.