Cybersecurity Maturity Model Certification (CMMC) is the new way for Department of Defense contractors to prove they have the appropriate level of cybersecurity. It involves an independent assessment (audit) rather than self-certification. While only specifically approved assessors can do an audit, it’s well worth using a cybersecurity expert consultant to prepare for it.
Background to CMMC
CMMC stems from the Defense Acquisition Federal Regulation Supplement (DFARS), a 2015 mandate aiming to tighten cybersecurity among contractors handling defense information. It required contractors and subcontractors to follow cybersecurity standards known as NIST 800-171. Officials soon became concerned that contractors were too slow to comply with DFARS and that the self-certification system for confirming compliance was too open to abuse.
The new system, CMMC, brings two key changes. It has a new set of standards that take better account of the way different DoD contracts require different levels of security. It also ditches self-certification and now requires an independent assessment.
CMMC covers 171 practices (specific security measures), broken down into 17 domains (general subjects) and 43 capabilities (specific subjects.) Each practice also has an assigned maturity level between 1 (lowest) and 5 (highest). “Maturity” refers to how sophisticated the security is.
CMMC Audits and Consequences
Every CMMC assessment covers a specific maturity level (starting with 1). You have to pass each level’s evaluation in order rather than skip ahead. You can only pass an assessment if the assessor finds you are following all the practices at the appropriate maturity level.
When you pass a level, you get a certificate that’s valid for three years unless you have a security breach. The nature of the assessment changes as you go up the levels. Broadly, level 1 is more of a checklist exercise, while higher levels take a comprehensive look at how you manage your cybersecurity.
Since October 2020, you must pass level 1 before you can bid for any DoD contract that uses Federal Contract Information. Meanwhile, some contracts that include Controlled Unclassified Information must meet a specific minimum maturity level. The number of contracts affected will increase each year until 2025, after which the plan is for all such contracts to have a minimum maturity level.
Audits have to be carried out by an accredited assessor, chosen through a “marketplace” run by the CMMC Accreditation body. There’s an assessment fee, but assessors can compete on price.
Preparing For CMMC Audits
The good news is that what assessors look for at a particular level is not a secret. That means you can prepare by examining your current security measures and making sure you fix any shortcomings. Doing this will give you more confidence in passing the first time, and you’ll be ready to bid for (and win) contracts rather than have to get in line for a reassessment.
The best way to prepare for an assessment is to hire an expert consultant, such as JNT Tek, who can look at your setup and give specific advice on what changes you need to make. They have the experience and knowledge of:
- exactly what assessors are looking for
- common mistakes that businesses make before getting an assessment
- how assessors interpret any ambiguities in the wording of CMMC practices
Get Third-Party Advice on the CMMC Audit
While a third-party cybersecurity advisor cannot complete the CMMC audit for you, they can give valuable advice and guidance to prepare you for the examination. Call JNT Tek today to set up a CMMC consultation.