Search
Generic filters

Navigating the CMMC Certification Process

November 6, 2021

Navigating the CMMC Certification Process

In 2020, the DoD rolled out its Cybersecurity Maturity Model Certification (CMMC) program. The CMMC certification process requires the defense industrial base (DIB) to attain third-party certification to ensure government contractors practice one of three cybersecurity levels, depending on the kind of data they touch.

Although the deadline for CMMC compliance is still 2025, The Department of Defense has made multiple changes to the program have already since its inception, making it difficult to understand where your organization needs to align. Fortunately, this blog (and our CMMC for Dummies ebook) will outline the paths you have to follow to reach your ultimate destination on time.

Get a feel for the road to CMMC certification. 

The process for becoming CMMC certified will require effort on your part, followed by a third-party assessment. But the DoD’s goal is not to burden you or deter innovation. So, understanding the landscape and how it may change is vital to being a good mission partner.

There are three objectives for the CMMC program:

  1. To incorporate a unified set of cybersecurity requirements into acquisition processes and contracting language. The program includes several levels of cyber requirements. These levels allow for flexibility to apply requirements appropriate to the defined sensitivity level of information at issue.
  2. To provide the Department assurance, via external assessment, that all contractors and subcontractors participating in a given award meet mandatory cybersecurity requirements. All prime contractors are accountable for ensuring that their suppliers are implementing appropriate cybersecurity requirements.
  3. Develop supporting resources, information, and training to help contractors improve cyber readiness and comply with the Department’s requirements.

“Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award,” DHS CIO Eric Hysen says. “This process is a critical step in our progress towards protecting the Homeland.”

Knowing your location on the map. 

There are three levels of CMMC certification, depending on how you interact with government data:

  • CMMC Level 1:Level 1 applies to DoD contractors who don’t deal with (CUI), only Federal Contract Information (FCI). These contractors don’t hold government information on their corporate networks, so this level’s security requirements are much less stringent. Most contractors that provide basic supplies and commodities to the government typically fall under Level 1. At Level 1, DoD contractors are able to self-asses that they have met the 17 criteria needed for certification.
  • CMMC Level 2+: For Levels 2 and 3, the DoD contractors handle CUI. Representative CUI can be information like schematics for DoD equipment that permits adversaries to reverse-engineer or learn about military capabilities. Another example is maintenance plans for aircraft equipment on a CUI network. This requires a level of protection very similar to the current NIST SP 800-171 recommendations used within the DoD already. Depending on the nature of the data you handle, some contractors will be able to self-assess, but many will need to secure approved third-party assessment to get and maintain their certification.
  • CMMC Level 3: At Level 3, the CUI being protected is at a high level of sensitivity. These networks may be primary targets of cyber adversaries. Examples of this information are weapon test results or detailed manufacturing schematics. Not surprisingly, securing your network up to Level 3 applies to a smaller, select subset of the DIB and can be very expensive without a plan and effective tools. While all details of CMMC 2.0 are still being ironed out, it seems companies at this level will need to conform to NIST SP 800-72 standards and be government assessed for certification every three years

Taking the smartest route to CMMC certification.  

Most organizations will seek Level 2+ or above certification. Coincidentally Level 2+ and above is where things get a bit complicated with the need to meet multiple controls. DoD contractors and suppliers who are large enough to have the resources in-house can do it DIY. Others may need to enlist third-party help.

Here are a few resources and thought nuggets that can ease your journey:

  • Self-assessment. The National Institute of Standards and Technology (NIST) provides a Self-Assessment Handbook – NIST 162 to help contractors provide products and services for the federal government. This handbook is a great resource but only covers certification up to CMMC Level-3.
  • Certified CMMC Assessor (CCA) or Certified CMMC Professional (CMMC). This credentialed individual is authorized to deliver assessments, training, and consulting as part of a CMMC Third-Party Assessor Organization (C3PAO). Only the CMMC Accreditation Body (CMMC – AB) certifies these third-party pre-assessment consultants, and they are experts at getting you down the road quickly.
  • Automation. CMMC certification controls are built on existing Security Technical Implementation Guides (STIGs), and Center for Internet Security (CIS) benchmarks for securely configuring your hardware and software. Automation not only saves truckloads of time and money but it gives you a way to monitor and document your compliance continually. Having data that proves your practices will help a lot come certification time.

Reaching CMMC certification–and a new level of the client relationship. 

The ultimate reward of CMMC compliance is helping our country combat the never-ending attacks on our systems and data. Protecting sensitive data has become a national security issue for everyone in both the private and public sectors. But beyond that, it’s a way of engaging in your client’s mission in a way that builds greater trust, loyalty, and enthusiasm.

If you are only beginning your journey, it’s time to research the C3PAOs and automation tools to make your journey easier. If you are already automating the STIG and CIS benchmarks in your CMMC requirements, you are way ahead of the pack. Just a little legal documentation, and you’ll be ready for your audit! See you on the road!

 For more changes and frequent updates, visit https://www.acq.osd.mil/cmmc/index.html

Share This Resource:

Leave a comment