Everyone who does business with the Department of Defense should be fully aware by now that there is a looming deadline of Q1 2025 to meet updated security standards in order to continue doing business with the DoD.
With the CMMC assessment deadline fast approaching, you may have more questions than answers at this point.
Among your most pressing concerns right now, you probably want to know when you need to get ready for CMMC and the timeline for meeting the revised compliance requirements.
After you read this article, you will know what CMMC is and the steps needed to complete the CMMC certification process. You will gain a thorough understanding of what to expect for the certification process. This knowledge will help you to make the right IT decision for your business to ensure that you are on the right path toward compliance.
We will also provide guidance on what to expect and next steps should your company not satisfy the new requirements, or should you require additional time to get things in order.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC 2.0) is a three-level program the DoD implemented to increase protection of sensitive national security information. CMMC establishes an updated set of cybersecurity compliance standards for companies doing business with the DoD.
The new model focuses on assessments—including self-assessments up to third-party certification.
The latest CMMC iteration builds upon the controls established in NIST 800-171.
Related Article: What Is CMMC Compliance? 5 Key Steps To Help With CMMC Certification.
If you’re already doing business with the DoD, you should already be meeting the NIST 800-171 requirements.
The certification process includes creating a System Security Plan (SSP), a requirement for NIST 800-171 compliance. Each company’s SSP will serve as a comprehensive delineation of how it has implemented each NIST 800-171 control, and how those controls will be monitored on an ongoing basis.
Related Article: What Is A NIST 800-171 System Security Plan (SSP) & How To Create One
The new CMMC model applies to all contractors and subcontractors and is categorized by three levels of compliance depending on the type of information being handled: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CUI is unclassified information that is created or possessed by the Government, or an entity on behalf of the Government, that requires safeguarding and dissemination controls. This data is not considered top secret but is sensitive enough to require protection so that only authorized parties have access to it.
FCI is information created by or provided for the Government through a federal contract that is not intended for public dissemination.
Level 1 contractors and subcontractors with only FCI must implement 15 security controls and perform an annual self-assessment. Your verified self-attestation scores must then be reported to the Department through its Supplier Performance Risk System (SPRS).
A senior official within your organization will also be required to annually reaffirm continued compliance.
Level 2 companies will be subject to third-party assessments every three years. DoD assessors will conduct the certification assessments for Level 3 businesses, which include the largest defense contractors.
The Certification Process: What Are The 5 Key Steps To Achieve CMMC Compliance?
The CMMC rule change requires several steps to achieve compliance and maintain it. Companies with CUI data need to satisfy 110 NIST SP 800-171 baseline assessment controls, which are grouped under 14 practices. NIST 800-171 compliance can take an average of anywhere from six to 18 months.
That means, if you haven’t started yet, you are already behind.
Related Article: How Long Does NIST 800-171 Compliance Take? 4 Key Stages And Factors
Here are 5 critical steps you will need to take to meet CMMC compliance:
1. Determine your CMMC level based on the data you handle. You can verify this in your defense contract, which may also specify the level you need to achieve. If not, reach out to your contracting office or the organization above you in the supply chain to verify.
2. Assess your entire IT environment and infrastructure, both physical and network systems that store or share CUI or FCI. Taking a detailed inventory of all of your systems and devices and documenting them, along with noting who has access to them, will help you narrow authorized users to meet the security requirements.
3. Conduct a gap analysis to see where your current IT environment stands as it relates to the NIST 800-171 controls. Identifying these security gaps will enable you to be laser-focused on correcting any security gaps in order to meet CMMC compliance.
4. Create a System Security Plan (SSP) to spell out exactly how your business protects sensitive information using NIST 800-171 controls as baseline. The plan must detail how your organization handles sensitive data, including how it’s processed, stored and shared.
Your SSP must also identify the roles and responsibilities of authorized personnel to ensure data safeguarding. This essential document will represent the basis of your evidence for meeting the CMMC requirements.
5. If your organization handles CUI, the next step is to schedule an on-site assessment by a Certified Third-Party Assessment Organization (C3PAO). Before the visit, be sure to complete a self-assessment so that you are satisfied that you have met all of the requirements in NIST 800-171.
The on-site assessment will include a complete review of your SSP, along with interviews with members of your team, and possible requests for demonstrations of certain controls. You will be required to recertify every three years, but keep in mind that some security controls require ongoing maintenance.
When Will The CMMC Rule Change Be Finalized?
The final rule is expected to be adopted by Q1 2025 and the new language will start appearing in contracts. This means that you need to be CMMC compliant by then. Frankly, you should be well on your way toward satisfying all of the required security measures to avoid any last-minute surprises.
The CMMC requirements will become fully implemented in a phased-in process as contracts are renewed and established and will be written into all contracts requiring the handling of CUI and FCI data. Only government officials and the contractor or subcontractor will be able to view the self-assessment and certification results.
For companies handling CUI, once your site assessment is completed by a C3PAO, if any problems are flagged during the on-site visit, there will be remediation mechanisms in place to correct those security gaps.
Businesses will be allowed to submit a Plan of Action & Milestones (POAM) identifying qualified problems (not all issues qualify for a POAM).
Related Article: What Is A NIST 800-171 POAM (Plan Of Action & Milestones) & Key Steps.
Each business will then have 180 days to address the remaining tasks and close the POAM. Once this happens, the company can then have the same C3PAO that did its initial site assessment conduct a follow-up assessment.
Why Should You Be CMMC Ready Now?
The security requirements are extensive and undoubtedly daunting, yet unavoidable. The DoD will institute more robust protections for its sensitive information, and like it or not, you will be required to satisfy the new CMMC requirements. You won’t be able to opt out or claim an exemption due to company size, cost, or other factors.
Should you be concerned about failing to meet the new regulations? Absolutely. There will be consequences for noncompliance. Companies that fall short of the CMMC 2.0 certification requirements could find themselves on the outside looking in when it comes to doing business with the DoD going forward.
Contractors that do not meet CMMC 2.0 program certification may face damages and/or fines of $10,000 per control under the False Claims Act.
Additionally, submitting a false affirmation could result in various consequences—such as DoD contract termination or debarment—making you ineligible to bid on any DoD contracts.
What's The Bottom Line?
You now have a thorough understanding of what CMMC is and how to ensure that your company meets the new security measures. You also now know what the timeframe is for implementation and what the possible penalties are for failing to comply.
With the CMMC 2.0 compliance deadline looming, you may have started to question your company’s preparedness. Does your staff have sufficient knowledge to institute all of the controls and verify that they meet the CMMC standards or is it time to reach out to a managed IT service provider?
We recognize that each business is different. Perhaps you have an internal IT team of certified cybersecurity experts that can navigate the complexity of CMMC. If you don’t have a qualified team in place, however, now may be the right time to consider partnering with an external IT service provider.
If you find yourself at the junction, I encourage you to explore your options so that you find a provider that meets your needs.
See for yourself how Kelser and one of our competitors (Charles IT) compare based on publicly available information from the websites of both organizations. We know it’s different that we offer head-to-head comparisons, but the truth is that each organization has strengths.
Over the years, Kelser has successfully guided businesses like yours through compliance protocols with a number of standards and frameworks (NIST, CMMC, DFARS, etc.). Our staff understands how to navigate the complexities of CMMC compliance and how to get you across the compliance finish line.
Use the button below to start a conversation with us about any questions you have about NIST 800-171, CMMC certification, or other compliance topics.
