CMMC Certification in Washington DC For DoD Contractors – 2020
Information on CMMC Certification in Washington DC for DoD Contractors
As a result of growing cybersecurity incidents, the United States government is increasing its cybersecurity requirements for contractors to reduce risk.
Previously, the National Institute of Standards and Technology’s (NIST) 800-171 standard outlined cybersecurity controls for contractors who handled controlled unclassified information (CUI). However, many contractors neglected to get in compliance, as they were only required to self-certify.
Now, the Cybersecurity Maturity Model Certification (CMMC) is the new standard going into effect starting June 2020. The CMMC will require contractors to be certified by a third-party to be considered for any future work with the government.
Here’s what you need to know about CMMC certification in Washington DC if you’re a Department of Defense (DoD) contractor.
What Exactly Is CMMC?
CMMC expands on the measures outlined in 800-171 and combines controls from other publications into one mandate. CMMC has five levels:
- 1. Basic Cyber Hygiene.
This level is awarded to vendors that have basic cybersecurity practices in place.
- 2. Intermediate Cyber Hygiene.
This level is considered an intermediate stage between stage 1 and stage 3.
- 3. Good Cyber Hygiene.
Contractors who have implemented all the controls in the most recent version of 800-171 will automatically qualify for Level 3 certification.
- 4. Proactive.
For those who have implemented enhanced security for CUI.
- 5. Advanced/Progressive.
Sophisticated cybersecurity techniques are in place.
Not every contractor will need to attain certification for every level. For example, your work with the DoD may only require that you have a Level 3 certification, but for others, a Level 5 may be needed. You can only achieve DC CMMC certification if you have implemented all of the controls for your particular level.
Unlike 800-171, you cannot self-certify with the CMMC. You must seek an audit with approved third-party auditors, also called approved third-party assessor organizations, that will audit and award you a certification level based on your cybersecurity practices.
As the CMMC develops, controls could change, so working with an experienced managed services provider who’s current on CMMC developments for your certification needs could be helpful.
When Certification Will Be Required
Beginning in June 2020, vendors for specific DoD programs will be required to attain CMMC certification in Washington DC. Before being considered for these contracts, you must be certified at the level specified in the Request for Proposals.
Beginning in October 2020, all contractors for all DoD programs will need to have DC CMMC certification to bid for contracts. Eventually, all government contractors will be required to be CMMC certified on some level, so it’s important not to wait to get started with the process!
How to Get Started With CMMC Certification In Washington DC
To get started with the certification process, you’ll first need to identify what level you’d like to obtain or need to achieve for your current or future work with the DoD. Remember, if you’ve complied with 800-171 standards, you should be able to attain a Level 3 certification.
Next, you’ll need to decide if you have the resources to implement the necessary cybersecurity controls in-house. Vendors who can do this are typically those that have full-time IT staff, IT departments, or have IT as their core function.
If this isn’t you, your ideal move is to consider outsourcing your certification process to a managed services provider in DC. Find a provider who’s experienced in CMMC compliance, as they’ll be able to assess your current cybersecurity practices and develop a strategy to help you qualify for the needed certification level.
Outsourcing your CMMC certification needs is often the most effective way for contractors to implement the necessary controls. Providers not only have the talent and resources to effectively remediate your cybersecurity practices, but can maintain them as the standard develops and changes.
Whether you decide to handle your certification needs in-house or outsource, your next step is to obtain a Readiness Assessment from a third-party to see where you’re at in regards to meeting the certification level for your DoD work. If you’re working with a consultant, they can perform this assessment, which will uncover any vulnerabilities or missing processes that would prevent you from obtaining CMMC certification in Washington DC.
Once you’re in compliance with the controls and have documentation from your consultant, you can seek certification from an accredited third-party auditor to become certified to bid on contracts or continue your work with the DoD.
Don’t Wait to Get Certified!
If you’re a contractor with the DoD, it’s important not to wait to get certified with the new standard. It takes time to implement all the measures in CMMC, and it also takes time to get an audit done. Working with a consultant can help the process go smoother and get you in compliance faster than most vendors can manage with their in-house staff. With the certification deadline just a few months away, most contractors can’t afford to wait to get certified!
- 1. Basic Cyber Hygiene.