Cybersecurity Maturity Model Certification (CMMC) Readiness
On January 31, 2020, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC). This new framework is to ensure their contractors and suppliers have appropriate cybersecurity frameworks in place to protect data such as Controlled Unclassified Information (CUI), Federal Contact Information (FCI), and other information. The DoD is rolling out the new framework “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).”
In other words, organizations will soon need to certify their CMMC readiness to continue working for or bidding on projects with DoD. The DoD and CMMC Accreditation Board (CMMC AB) will select organizations to undergo their first CMMC assessments in 2020. The DoD will subsequently roll out CMMC requirements to all other contractors beginning in 2021. With any certification comes preparation – and you may need several months to get ready for these new incident response maturity model requirements.
The DoD’s new cybersecurity maturity model features five maturity levels incorporating and adding to the 110 security requirements in NIST SP 800-171 currently required under DFARS 252.204-7012. The five levels range from ‘Basic Cybersecurity Hygiene’ to ‘Advanced/Progressive’. These cybersecurity maturity levels attempt to map the rigor of an organization’s cybersecurity plan to the risk they pose to the interests of national defense. Maturity Level 1 is associated with organizations who pose the least risk and require a baseline security program. Maturity Level 5 organizations pose the highest possible risk to our national defense interests and therefore require the most rigorous security program. Organizations that wish to bid on a DoD contract would need to show that the maturity of their CMMC certification supports the risk associated with the bid.
Certification will require a third-party audit to measure a company’s cybersecurity abilities which will be conducted by a CMMC Third Party Assessment Organization (C3PAO).
How Ready Are You For CMMC Cybersecurity Requirements?
“If you want to work with the DoD I would look at the CMMC model the way it is right now – Level 1 specifically – you should be doing those today.”
– Katie Arrington, CISO, Office of the Under Secretary of Defense for Acquisition
Because the cybersecurity maturity model certification framework is based on well-established standards, you likely comply with at least some of CMMC’s requirements today. If you wish to contract with DoD, you should take the following steps to prepare for CMMC:
- Know Your CMMC Level: Determine whether your organization is a Level 1, 2, 3, 4, or 5 organization. Levels are assigned to organizations based on the risk they pose to the DoD and its mission.
- Evaluate Your Current Compliance: If you are a DoD contractor who poses a risk to CUI you already have obligations to self-assess to NIST Special Publications 800-171. Additionally, CISO of the Office of the Under Secretary of Defense for Acquisition urges all contractors to achieve Level 1 compliance now. An independent gap assessment will help you understand your current-state compliance.
- Evaluate Your Risk: For cybersecurity maturity Level 2, 3, 4, and 5 organizations, CMMC requires a risk assessment. By conducting your gap assessment in conjunction with a DoCRA risk assessment you may prioritize your gaps and design controls that would be demonstrably reasonable against foreseeable risks.
- Plan Your Remediation: By developing a Plan of Action and Milestones (PoAM) and a System Security Plan, you can address your current NIST 800-171 requirements based on risk, and can develop a roadmap toward your eventual CMMC certification.
- Certification: After a beta testing period in 2020, the DoD and CMMC AB will select contractors to undergo CMMC readiness certification. You will work with an auditor (C3PAO) to test your compliance with the new requirements. Upon completion of the certification, you will be permitted to respond to RFPs and to continue your contracted work with DoD.
It is in DoD contractors’ best interest to establish your CMMC readiness, and to prepare for your official certification to maintain your consideration for DoD-related services. You will need to be ready when called. And by preparing for CMMC cybersecurity with DoCRA, you will be able to demonstrate that you’ve addressed risks to CUI reasonably and have an incident response maturity model that aligns with DoD guidelines.
As authors of CIS Risk Assessment Method (RAM) and developers of Duty of Care Risk Analysis (DoCRA), HALOCK works with regulators, information security organizations, technical and executive management, and litigators to define the reasonableness of cybersecurity controls. This expertise provides our clients with the insight they need to define their acceptable level of risk, and to demonstrate that they apply their “duty of care” while managing the risks they pose to themselves and others.
What Does the CMMC Readiness Program Provide?
The program offers an expert team of cybersecurity professionals to help scope, assess, and develop a plan to prepare your organization for the cybersecurity maturity model certification framework. You will have a clear 3-phased plan so you can see where your status and steps required to be ready for certification, plus final reports and deliverables.
|1. Determine Requirements & Scope|
|2. Assess Controls|
|3. Develop Plans|
Let’s talk how you can be ahead of the game on being CMMC cybersecurity-ready and managing risk reasonably.
^Blank Rome LLP: New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements