The issue of cybersecurity is one that has remained in the public spotlight for quite some time given the numerous amounts of high-profile attacks and breaches that have plagued not only our federal government, but a myriad of prominent, private enterprises. The Cybersecurity Maturity Model Certification (CMMC) was put into place in 2019 as a way to safeguard sensitive information and to minimize the likelihood of cybersecurity breaches and the potential damage that they may cause to the federal government. CMMC compliance is quickly becoming a necessity for any company or organization interested in contracting with the federal government.
If you’re interested in learning more about CMMC compliance, such as why CMMC came to be, the various levels within the certification framework, and what your company can do to get certified, then look no further than these next few lines.
What is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is an official certifying document which is essentially used to verify an organization’s compliance with NIST SP 800–171. However, before we dive further into CMMC compliance, let’s first briefly discuss just exactly what NIST SP 800–171 is in the first place.
NIST SP 800–171
For those of you who are relatively new to this subject matter, we feel that it’s important to first get a stronger understanding of the driving force behind the CMMC. That driving force is essentially, facilitating NIST SP 800–171 compliance and establishing a greater degree of consistency and credibility to the certification process.
The abbreviation “NIST” stands for National Institute of Standards and Technology. This agency was originally founded in 1901 by Congress as a way to mitigate the various challenges associated with industrial competitiveness in the United States. NIST SP 800–171, often also referred to as “NIST 800–171” or simply, “800–171”, is essentially a common standard for cybersecurity protocols that all companies should aspire to strive towards compliance with.
NIST SP 800–171 gets its moniker from special publication (SP) 800–171, which governs what is called “controlled unclassified information” or “CUI”, specifically in non-federal information systems and organizations. It sets standards and protocols which define how to not only manage sensitive (but not necessarily classified) information, but also how to properly distribute and safeguard it.
The NIST SP 800–171 was developed after the Federal Information Security Management Act (FISMA) of 2002 passed in response to the need for greater cybersecurity protocols and standards.
The CMMC response to self-assessment
So, now that we’ve provided you with the necessary background information, let’s dive a little bit further into the CMMC. The CMMC was an initiative that the Department of Defense started back in March of 2019. Basically, the government was getting a little uncomfortable with the fact that that the NIST SP 800–171 was fundamentally, at heart, a self-assessment. The government realized that it needed greater insight into companies and the processes being utilized to certify NIST SP 800–171 compliance. So, one of the key changes that were implemented was the requirement for an assessment to be handled by an independent 3rd party.
How does the government decide which 3rd party assessors are acceptable? Well, that’s where the CMMC Accreditation Body (i.e. “CMMC AB”) comes in. The CMMC AB is a private governing body which was founded in January 2020 that is comprised mostly of volunteers who have worked in some capacity with the Defense Industrial Base (DIB). The CMMC AB’s primary mission is to establish and oversee “a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments…against a defined set of controls/best practices within the CMMC Program”.
Basically, the CMMC has been put into place in order to identify an organization’s cyber hygiene. Let’s face it, if you’re going to be contracting with the DIB, it makes sense that there should be a set of protocols and standards to aspire towards in order to ensure that your cybersecurity processes are up to par. After all, loss of intellectual property can not only gravely impact U.S. security, it also can have disastrous repercussions on our nation’s ability to effectively compete in a global market.
So, if you’re looking to land a federal contract, then you’re going to want to make sure that you get the Cybersecurity Maturity Model Certification at the level required in the contract you’re bidding for. Now, it’s not a requirement to do this; but then again, it’s estimated that by 2026, it will be pretty hard to find an RFP without a CMMC clause built into it.
Source: OUSD (A&S) and highlights CMMC level descriptions
As of today, there are five levels in the CMMC:
Level 1 is the most basic and lowest level of certification. It was designed in order to make basic cybersecurity achievable for small companies. This level doesn’t really require anything crazy in the form of documentation of processes. Essentially, as long as processes are performed in an ad hoc manner and you’re doing things like adding an antivirus program to your systems, then you’re good to go. So, if you own a landscaping or delivery businesses that wants a government and you have minimal access to sensitive data, then you might be able to get away with certification at Level 1.
Level 2 is an intermediate level. At this level, you want to make sure that your company is implementing universally accepted cybersecurity practices. For instance, this level requires the development of documentation with regards to your cybersecurity practices and the implementation of things such as security awareness training.
Level 3 is a good base-level to strive towards. At level 3, you’re company should essentially be implementing all of the NIST SP 800–171 protocols. This level delves further into how your processes are maintained and followed and could involve actions such as implementing two-factor authentication to your CUI network.
Level 4 is what is referred to as a proactive level. If your company achieves Level 4 certification, then it’s safe to say that you have a relatively advanced/sophisticated suite of cybersecurity features and protocols. In this stage, companies should be periodically reviewing their cybersecurity processes and ensuring the proper improvements are made throughout the enterprise (i.e. adding security features to mobile devices).
Level 5 is essentially for mission critical programs. This level requires a highly advanced approach to cybersecurity as well as a strong focus on continually improving your processes throughout the company, such as by implementing a 24-hour security operation (SOC) center which monitors your network continuously.
CMMC compliance cost
So how much does it cost to get CMMC compliance? Well, unfortunately, that depends on a myriad of factors such as the size of your business, its budget, your current information technology infrastructure, and the level of compliance that you are looking to achieve. As you can imagine, the costs associated with getting certified at Level 5 naturally will far outweigh the costs associated with getting certified at Level 1.
You’re also going to need to consider costs associated with getting a gap analysis, as well as costs of the various methods which need to be taken in order to effectively fill those gaps. Furthermore, there’s a cost for the assessment, a fee which must be paid to the CMMC AB, and the general costs associated with running and maintaining your cybersecurity processes at the level you need. Furthermore you’ll also want to consider costs associated with the recertification process, which is needed every three years.
What if you have a breach? Do you lose your certification?
Perhaps one of the most popular questions regarding CMMC is what happens in the event of a breach. For those of you who may be wondering, the answer is no — your company will not necessarily lose its certification in the event that there is a breach. This is because it’s pretty much universally recognized that it’s almost impossible to 100% safeguard yourself against a cyber-attack. Practices and technologies are continuously evolving and as a result, one can only do the best they can to comply with standards and safeguard sensitive information to the best of their ability.
So, let’s say that you land a contract with the government and then, bam! — your company falls victim to an attack. The first thing that will happen is that there will be an investigation in order to assess factors such as compliance with standards, an organization’s level of responsibility, and the timeliness and type of response to an attack. If it is found that your organization performed well and was in fact in compliance, then you may be able to keep your certification. However, if you are to be found at fault in any way, such as by knowing about a breach or a potential flaw in your systems/processes and failing to take action, then you will most likely be forced to recertify.
If you’ve been remotely interested in potentially becoming a government contractor or sub-contractor, then the general advice is that you should begin starting to move towards CMMC compliance sooner rather than later.
This is because that the kind of changes that you will need to make in order to get to where you need to be could very well take years and resources that you currently may not have access to or will need to prepare for. It’s going to take hard work, grit, and even potentially a significant shift in culture and the way your organization and its employees prioritizes cybersecurity.
Furthermore, you’re going to want to make sure to work with an outside CMMC consultant who can help you develop a gap analysis and a strong roadmap unique to your organization’s needs in order to help you achieve the level you need in order to become 100% compliant.
Are you interested in learning more about contracting with the federal government and Cybersecurity Maturity Model Certification? Be sure to bookmark this page because VisioneerIT is here for you as an official resource for CMMC compliance and all of your cybersecurity needs.