Do you know the answers to the below questions with regards to CMMC compliance?
- Are you ready for CMMC?
- Do you know what you need to do or have in place to be ready for the assessment?
- Do you know how long it will take to be ready for the assessment?
- Do you have a POAM and know how and when all items will be remediated?
- Do you know when you need to be ready?
- Do you know what level of compliance you need to attain?
- Do you have additional questions about CMMC?
We are here to answer your questions and help you prepare for your Assessment and become certified in time for new DOD contract work. We can work with you to answer these questions and more in preparation for CMMC compliance.
We are experienced compliance consultants. We are educating ourselves as CMMC information continues to evolve. Still, everyone recognizes that the important first step for every company is to educate themselves on what is needed to get ready. We can help you evaluate your environment, define the path to compliance and work with your organization to prepare with a prioritized roadmap of the steps you will want to take to ensure compliance and a successful assessment.
Contact us today and let’s discuss your needs and how it makes sense for your company to move forward.
The Cybersecurity Maturity Model Certification (CMMC) is a certification and compliance process developed by the Department of Defense (DoD). It is designed to certify that contractors have the controls in place to protect sensitive data. These data include Federal Contract Information and Controlled Unclassified Information (CUI). January 2020 saw the release of the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0. The framework has been developed in a collaborative process with University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.
The CMMC brings together a number of previously discrete compliance processes into one unified framework. These include NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933. In addition, it has taken some best practice guidelines from associated compliance procedures such as those contained in FISMA. The biggest change brought about by the CMMC for DoD contractors will be the necessity to subject themselves to external security audits. Up until now, defense contractors have been responsible for monitoring and certifying the security of their own information systems, and any DoD data stored or transmitted by them.
Under the new model contained in the CMMC, contractors will remain responsible for implementing cybersecurity requirements, but their systems will be audited by third-party assessments. These assessments will check compliance with certain mandatory practices, procedures, and capabilities.
When Will CMMC Compliance Become a Requirement?
CMMC Compliance requirements will appear on the requests for information (RFI) process in June 2020 and the requests for proposals (RFP) process in September 2020. Though it will be a couple years before the full framework will be enforced. The first full version of the CMMC framework was published in January 2020, following the publication of several draft versions over the previous few years.
Who Will Have to Comply with the CMMC?
FREQUENTLY ASKED QUESTIONS
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings.
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.
In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.