Cybersecurity Maturity Model Certification (CMMC)
The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for existing DoD contractors, replacing the self-attestation model and moving to third-party certification.
The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. This new certification is intended to tighten cybersecurity within the defense industrial base. CMMC consists of five levels to measure cybersecurity practices of contractors.
The compliance burden is shifting.
With CMMC – Cybersecurity Maturity Model Certification – the burden falls to suppliers to confirm cybersecurity compliance under existing DFARS and NIST terms. Also, supplier compliance will face third-party audits, and a process component evaluating effectiveness through cybersecurity maturity. Suppliers can’t wait until for the contract is awarded; compliance is a prerequisite to bid participation. Compliant suppliers can benefit competitively as the least-risk partner to prime bidders.
Be prepared. Get the right tools! Consider how you will:
- Adapt to CMMC when it fully rolls out
- Compete when your compliance is lacking
- Contend with audited, vs. declared, compliance
How Net X IT Solutions Can Help
Whether completing a NIST 171 self-assessment or preparing for a CMMC audit, suppliers can benefit through risk-management solutions that:
- Offer explanations of security controls, practices, and processes, as well as assistance determining where the supplier stands relative to each
- Allow for the creation of new policies and evaluations of existing policies that meet NIST 171 and CMMC requirements
- Enable compliant collaboration and information sharing between suppliers and prime contractors
- Take action now. Get ahead of the curve for future business with government prime contractors.
CMMC will change routines.
Know what’s ahead. CMMC differs from its predecessor along several vectors that up the ante for suppliers as it:
- Incorporates the security controls of NIST 800-171 and adds practices from other standards like ISO 27001
- Adds a process component meant to ensure continuous cybersecurity maturity
- Replaces self-attestation with a certification audit conducted by an approved third-party assessor
- Eliminates the air-cover provided by prime contractors because suppliers must get their own certifications
- CMMC launched in early 2019. Suppliers will see it in select Requests for Information and Requests for Proposals beginning in 2020, and the program will be fully phased in by 2026. Over that period, suppliers will have to account for both the current DFARS 252.204-7012 clause and CMMC.
- The time to prepare is now. DoD suppliers that wait may find themselves at a significant competitive disadvantage.