In this article you’ll learn:
- What is CMMC and why is it important for contractors/subcontractors
- Provide definitions for technical acronyms associated with the CMMC process
- How GadellNet helps contractors navigate compliance
- What comes next to gain CMMC compliance
Cybersecurity Maturity Model Certification, or CMMC, was released in January of 2020 by the Department of Defense (DoD). CMMC was created to properly secure data shared by the government to contractors. This set of standards must be met by contractors and subcontractors who work with government CUI data.
CUI or Controlled Unclassified Information also includes Covered Defense Information (CDI). These forms of data –Proprietary Business Information (PBI), Unclassified Controlled Technical Information (UCTI), Sensitive But Unclassified (SBU), etc. – are considered unclassified content that must be protected in a very specific manner.
What Does CMMC Compliance Mean for Your Business?
In the future, this sensitive government data will only be made available to organizations/contractors/subcontractors meeting these standards. This kind of data (typically CUI and CDI) might be provided to an organization through a bid process or with project work awarded by the government. So, if your organization does not meet these standards, it would be ineligible for the bid process. As it stands now, organizations must go through a self-assessment for risk and cyber security.
CMMC is what the US Government is using to implement the tiered approach to audit contractor compliance with NIST SP 800-171. There are five levels to CMMC certification. Some are self-certification, and the upper tiers require an audit with certification by a third party. At this time, to become CMMC Level 1 compliant you must complete the self-assessment process and upload the Supplier Performance Risk System (SPRS) score of 110 or lower. In addition, your organization must submit a Plan of Action and projected completion date to attain the 110 benchmark scores.
When Should My Organization Begin Working Toward CMMC Compliance 1.0?
At present, there is no deadline to complete the self-assessment. Why would you want to start now? Because it is a lengthy process: The assessment is based on the 110 items on the NIST SP 800-171. Each item on this assessment has a scored value associated with it giving your organization’s SPRS score. Another reason to start now is that contractors and agencies are already asking where their potential partners are with CMMC Level 1.
Why Partner with GadellNet to Complete CMMC Compliance?
Our GadellNet Consulting Services Team helps you perform a self-assessment to create your System Security Plan (SSP) and attain your SPRS score for submission.
The CMMC Level 1 is a self-assessment used to generate your initial SPRS Score. This assessment is based on an SSP. The SSP is an iterative document meant for updates as the company changes anything substantive about its security posture. Every significant update and corresponding remediation are required to be recorded and reviewed. This information includes security, configurations, and capabilities that are current as well as those that are intended to be implemented with the implementation timeline. Each capability is expressly tied to specific security requirements and controls that match a NIST requirement.
For the purposes of NIST SP 800-171 and CUI requirements, a Plan of Action and Milestones (POA&M) is required for items that are intended to be implemented with the implementation timeline.
The POA&M will be unique to your business since it includes information about weaknesses and gaps according to NIST SP 800-171 standards. It also considers the risks associated with each respective gap and any mitigating steps the company intends to take. While the desired outcome will be similar a POA&M will be unique for each organization. Not every company will make the decision to address every risk in the same manner. These are business decisions with operational and financial implications that need to be planned and implemented in line with a timeline and budget.
GadellNet has helped many organizations with their CMMC compliance needs, helping speed up the process through using our toolsets and security offerings.
What Comes Next for CMMC Compliance?
While the government has only released official information about CMMC level 1, as of June 2022, there have been confirmed official leaks about CMMC 2.0. CMMC 2.0 will encompass government contractors supporting the Department of Defense (DoD). CMMC 2.0 Level 2 and DFARS 7012 require NIST SP 800-171 compliance across all information systems and policies.
CMMC 2.0 is applicable to organizations supporting the Department of Defense that handle or process the following types of data:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI) / Covered Defense Information (CDI)
- Controlled Technical Information (CTI)
- International Traffic in Arms Regulations (ITAR) Data
GadellNet will be here to help you navigate this process and complete compliance requirements. To learn more, reach out to your Account Manager or contact us at email@example.com.
***This information is current at time of publishing, according to DoD release. In the future 2.0 will become the new standard.