(July 13, 2021) To combat rising cyber threats, the Department of Defense (DoD) has introduced the Cybersecurity Maturity Model Certification (CMMC), which establishes minimum cybersecurity standards for DoD contractors. Although full implementation is more than four years away, organizations should begin planning now to meet CMMC standards.
Announced on Jan. 31, 2020, the CMMC is designed to measure a contractor’s cybersecurity readiness and improve the security and integrity of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It draws from other standards and frameworks, including the Defense Federal Acquisition Regulation and National Institute of Standards and Technology SP 800-171.
The DoD is already implementing the CMMC for a limited number of procurements, starting with critical technologies such as nuclear and missile defense. Approximately 1,500 prime and subcontractors will need to be certified in 2021. The number will increase each year until full implementation is reached.
Beginning in 2026, the DoD will require some level of certification for all new contracts. Contract opportunities will be available at all stages of maturity, but prime and subcontractors will be required to demonstrate at least basic security measures to do business with the DoD.
Understanding the CMMC
The CMMC framework has five maturity levels, from basic to advanced, organized by domains, processes, capabilities, and practices. Domains are made up of practices for things like access control, risk management, and incident response. Capabilities are collections of practices and practices encompass multiple processes.
Organizations at level 1 have implemented basic cybersecurity measures to prevent unauthorized access to systems and data. Cybersecurity processes are merely performed. As an organization moves up the maturity levels, processes must be documented (Level 2), managed (Level 3), reviewed (Level 4), and optimized (Level 5). Levels 4 and 5 emphasize a proactive approach to addressing cyber threats.
The requirements of the five levels are cumulative — a contractor must start with level 1 and obtain certification at each level. For some organizations, level 1 may be sufficient. But contractors that process or store CUI and FCI will likely need certification at level 3 or higher. The DoD will specify in each request for proposal (RFP) which level is required. Prime contractors must ensure their subcontractors have met the appropriate CMMC level requirement for the nature of their work.
How to Achieve Certification
As an initial step, organizations should determine their current level of CMMC readiness and develop a strategy for achieving their desired maturity level. This includes creating a Plan of Action and Milestones (POAM) that indicates the specific actions the company will take to close security gaps.
In the implementation phase, organizations should utilize the POAM to correct any deficiencies found in the assessment by developing new procedures and installing necessary tools. Employees should be trained on the new security requirements.
Assessments will be performed by accredited Third-Party Assessment Organizations (3PAOs) and individual assessors. When undergoing an audit by a 3PAO, an organization must be prepared to present proof that all required security controls for a particular level are met and to show efforts toward continuous improvement.
With today’s complex, global supply chains, an organization’s cybersecurity risk is at least partly dependent on its business partners. This is especially true for the DoD, which does business with an estimated 300,000 prime and subcontractors. By meeting CMMC standards, prime and subcontractors will play a key role in increasing the nation’s cybersecurity.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile
