Two years ago, the Department of Defense (DoD) required all their contractors to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

NIST’s 800-171 outlined 110 controls for contractors that work with controlled unclassified information (CUI) to help them attain basic cybersecurity standards. Contractors were required to be in compliance or have a plan for compliance by the end of 2017.

Now, the DoD is in the process of releasing a new publication for cybersecurity, which will essentially replace 800-171 and require contractors to attain certification. The new standard will be called the Cybersecurity Maturity Model Certification (CMMC).

The Purpose of the CMMC in 2021

The certification is designed to correct issues with NIST’s 800-171 and set an enforceable uniform cybersecurity standard for DoD contractors throughout Washington DC and Northern Virginia.

Currently, contractors are allowed to confirm their own compliance with 800-171 by documenting an existing security plan that meets the controls and a subsequent plan for any unmet controls.

However, this system left many contractors with inadequate cybersecurity practices that had yet to meet the requirements and put data at risk. Compromised sensitive information led to numerous incidents for the DoD, and they’re now trying to improve their standards.

CMMC aims to designate universal cybersecurity practices for all DoD contractors.

The DoD will require third-party certification for this new model. Contractors must have met the issued requirements and attain certification to do business with the department.

The CMMC is expected to specify five levels of data security, ranging from basic measures to advanced practices.

The purpose of these varying levels is to allow contractors to implement the procedures most appropriate for their particular work.

Who Will Be Affected by the New Certification

Any DoD contractors that work with controlled unclassified information will be expected to gain certification under a third-party auditor. The DoD is expected to utilize a nonprofit organization to manage the certification process and auditors, although it’s not yet clear which organization will be hired or who the auditors will be.

The certification will also apply to all contractors who do business with the DoD. DoD contracts will detail the required security level needed to attain certification. The model is expected to be made so that most small businesses in Washington DC will be able to at least meet the level one requirements.

It’s also possible that the expenses of gaining compliance could be an allowable cost, so contractors could recover their expenses by achieving the certification.

When Is the Deadline

The Cybersecurity Maturity Model Certification guidelines haven’t yet been released and likely won’t be until later this year.

It’s expected that the certification process will begin throughout 2020 and 2021, although there is no set deadline to attain certification at this point.

Contractors throughout the area including Northern Virginia should expect to gain compliance and begin the certification process starting in 2020.

How You Can Prepare

Although no specifics have been published, the CMMC is expected to have new controls as well as some current ones carried over from the 800-171 publication.

Although some contractors in Washington DC may have NIST’s 800-171 controls in place, they need to be aware of the new controls as they’re released and make plans to meet them.

Contractors should not expect that just because they have gained 800-171 compliance that they will automatically be eligible for the Cybersecurity Maturity Model Certification.

There will be new controls and depending on which level contractors are required to meet, the cybersecurity measures could be much more advanced than what contractors in Northern Virginia are currently applying.

If the certification is successful in improving cybersecurity for DoD contractors and those that do business with the department, future models could be published for other sectors of the government as well.

Solvere One Is CMMC Ready!

If you do business with the DoD, you need to be ready for the new Cybersecurity Maturity Model that’ll be released later this year.

Solvere One provides CMMC-ready solutions and is prepared to help you meet the necessary controls.

Our expert team can help you prepare now to ensure you’re ready to gain compliance, and when the model is released, you’ll be ahead of the game to attain certification!

As a result of growing cybersecurity incidents, the United States government is increasing its cybersecurity requirements for contractors to reduce risk.

Previously, the National Institute of Standards and Technology’s (NIST) 800-171 standard outlined cybersecurity controls for contractors who handled controlled unclassified information (CUI). However, many contractors neglected to get in compliance, as they were only required to self-certify.

Now, the Cybersecurity Maturity Model Certification (CMMC) is the new standard going into effect starting June 2020. The CMMC will require contractors to be certified by a third-party to be considered for any future work with the government.

Here’s what you need to know about CMMC certification in Washington DC if you’re a Department of Defense (DoD) contractor.

What Exactly Is CMMC?

CMMC expands on the measures outlined in 800-171 and combines controls from other publications into one mandate. CMMC has five levels:

Not every contractor will need to attain certification for every level. For example, your work with the DoD may only require that you have a Level 3 certification, but for others, a Level 5 may be needed. You can only achieve DC CMMC certification if you have implemented all of the controls for your particular level.

Unlike 800-171, you cannot self-certify with the CMMC. You must seek an audit with approved third-party auditors, also called approved third-party assessor organizations, that will audit and award you a certification level based on your cybersecurity practices.

As the CMMC develops, controls could change, so working with an experienced managed services provider who’s current on CMMC developments for your certification needs could be helpful.

When Certification Will Be Required

Beginning in June 2020, vendors for specific DoD programs will be required to attain CMMC certification in Washington DC. Before being considered for these contracts, you must be certified at the level specified in the Request for Proposals.

Beginning in October 2020, all contractors for all DoD programs will need to have DC CMMC certification to bid for contracts. Eventually, all government contractors will be required to be CMMC certified on some level, so it’s important not to wait to get started with the process!

How to Get Started With CMMC Certification In Washington DC

To get started with the certification process, you’ll first need to identify what level you’d like to obtain or need to achieve for your current or future work with the DoD. Remember, if you’ve complied with 800-171 standards, you should be able to attain a Level 3 certification.

Next, you’ll need to decide if you have the resources to implement the necessary cybersecurity controls in-house. Vendors who can do this are typically those that have full-time IT staff, IT departments, or have IT as their core function.

If this isn’t you, your ideal move is to consider outsourcing your certification process to a managed services provider in DC. Find a provider who’s experienced in CMMC compliance, as they’ll be able to assess your current cybersecurity practices and develop a strategy to help you qualify for the needed certification level.

Why Outsource?

Outsourcing your CMMC certification needs is often the most effective way for contractors to implement the necessary controls. Providers not only have the talent and resources to effectively remediate your cybersecurity practices, but can maintain them as the standard develops and changes.

Whether you decide to handle your certification needs in-house or outsource, your next step is to obtain a Readiness Assessment from a third-party to see where you’re at in regards to meeting the certification level for your DoD work. If you’re working with a consultant, they can perform this assessment, which will uncover any vulnerabilities or missing processes that would prevent you from obtaining CMMC certification in Washington DC.

Once you’re in compliance with the controls and have documentation from your consultant, you can seek certification from an accredited third-party auditor to become certified to bid on contracts or continue your work with the DoD.

Don’t Wait to Get Certified!

If you’re a contractor with the DoD, it’s important not to wait to get certified with the new standard. It takes time to implement all the measures in CMMC, and it also takes time to get an audit done. Working with a consultant can help the process go smoother and get you in compliance faster than most vendors can manage with their in-house staff. With the certification deadline just a few months away, most contractors can’t afford to wait to get certified!