What Is Cybersecurity Maturity Model Certification (CMMC) – Updated 2019
Cybersecurity Maturity Model Certification (CMMC) Explained
Two years ago, the Department of Defense (DoD) required all their contractors to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
NIST’s 800-171 outlined 110 controls for contractors that work with controlled unclassified information (CUI) to help them attain basic cybersecurity standards. Contractors were required to be in compliance or have a plan for compliance by the end of 2017.
Now, the DoD is in the process of releasing a new publication for cybersecurity, which will essentially replace 800-171 and require contractors to attain certification. The new standard will be called the Cybersecurity Maturity Model Certification (CMMC).
The Purpose of the CMMC
The certification is designed to correct issues with NIST’s 800-171 and set an enforceable uniform cybersecurity standard for DoD contractors throughout Washington DC and Northern Virginia.
Currently, contractors are allowed to confirm their own compliance with 800-171 by documenting an existing security plan that meets the controls and a subsequent plan for any unmet controls.
However, this system left many contractors with inadequate cybersecurity practices that had yet to meet the requirements and put data at risk. Compromised sensitive information led to numerous incidents for the DoD, and they’re now trying to improve their standards.
CMMC aims to designate universal cybersecurity practices for all DoD contractors.
The DoD will require third-party certification for this new model. Contractors must have met the issued requirements and attain certification to do business with the department.
The CMMC is expected to specify five levels of data security, ranging from basic measures to advanced practices.
The purpose of these varying levels is to allow contractors to implement the procedures most appropriate for their particular work.
Who Will Be Affected by the New Certification
Any DoD contractors that work with controlled unclassified information will be expected to gain certification under a third-party auditor. The DoD is expected to utilize a nonprofit organization to manage the certification process and auditors, although it’s not yet clear which organization will be hired or who the auditors will be.
The certification will also apply to all contractors who do business with the DoD. DoD contracts will detail the required security level needed to attain certification. The model is expected to be made so that most small businesses in Washington DC will be able to at least meet the level one requirements.
It’s also possible that the expenses of gaining compliance could be an allowable cost, so contractors could recover their expenses by achieving the certification.
When Is the Deadline
The Cybersecurity Maturity Model Certification guidelines haven’t yet been released and likely won’t be until later this year.
It’s expected that the certification process will begin throughout 2020 and 2021, although there is no set deadline to attain certification at this point.
Contractors throughout the area including Northern Virginia should expect to gain compliance and begin the certification process starting in 2020.
How You Can Prepare
Although no specifics have been published, the CMMC is expected to have new controls as well as some current ones carried over from the 800-171 publication.
Although some contractors in Washington DC may have NIST’s 800-171 controls in place, they need to be aware of the new controls as they’re released and make plans to meet them.
Contractors should not expect that just because they have gained 800-171 compliance that they will automatically be eligible for the Cybersecurity Maturity Model Certification.
There will be new controls and depending on which level contractors are required to meet, the cybersecurity measures could be much more advanced than what contractors in Northern Virginia are currently applying.
If the certification is successful in improving cybersecurity for DoD contractors and those that do business with the department, future models could be published for other sectors of the government as well.
Solvere One Is CMMC Ready!
If you do business with the DoD, you need to be ready for the new Cybersecurity Maturity Model that’ll be released later this year.
Solvere One provides CMMC-ready solutions and is prepared to help you meet the necessary controls.
Our expert team can help you prepare now to ensure you’re ready to gain compliance, and when the model is released, you’ll be ahead of the game to attain certification!