Beginning in 2020, any contractor or subcontractor doing business with the Department of Defense will be required to undergo a third-party audit of their cybersecurity maturity under the framework of the Cybersecurity Maturity Model Certification (CMMC). Although some important details and requirements are still being defined, here’s what you need to know to start preparing today:
- There are five levels of certification requirements that build on each other. Achieving certification for any level means that you have met all controls for the lower levels as well.
- The DoD expects that the majority of the ~350,000 vendors in their supply chain will only need to meet Level 1 certification, which includes 17 basic (and low cost) controls. A Level 1 audit is expected to take 1-2 hours and cost less than $3,000.
- If your organization provides (or plans to provide) services to the DoD requiring access to Controlled Unclassified Information (CUI), it is likely that your requirement will be for a Level 3 audit. Unlike a Level 1 audit, Level 3 requires 130 controls and ongoing management of the security environment.
- Once you have completed an organizational audit from a certified independent 3rd party organization, your audit is good for all DoD contracts.
- Your CMMC audit must be completed at the time of the contract award (not at the time of the contract bid).
- Many unknowns still exist for the certification process, but as of April 2020 there are NO certified auditing organizations or certified auditors. The CMMC Accreditation Body is still in the process of defining the requirements for both of these.
- Unlike previous ‘self-certification’ requirements as a DoD contractor, the CMMC certification process does not allow for Plan of Action and Milestones (POA&Ms). A single unmet control will result in a lower level of certification.
- In June 2020, expect to see ‘Pathfinder’ RFIs published for select contracts. These RFIs will be used by the CMMC Accreditation Body to refine the certification and audit process before the planned implementation in September 2020.
Because the content of the CMMC controls are published, you can begin preparing your organization today for your upcoming audit. Having your organization assessed for cybersecurity maturity against the CMMC framework – either by an internal or external resource – is a critical first step to identify any gaps you may have that need remediation prior to your CMMC audit. Remediation efforts that are implemented now will both improve your security posture and prepare you to produce the evidence and artifacts that your auditor will be looking for.