Editor’s note: This article was originally published in 2021, but has been updated to reflect the latest CMMC information.
If you’ve implemented NIST 800-171, you may be wondering what’s next.
Cybersecurity Maturity Model Certification (CMMC) is the next generation of protection for data shared with the U.S. Defense Industrial Base (DIB). Steps you take now will give your organization a competitive edge.
I’ve spent eight years in the IT industry and have helped businesses just like yours nagivate the CMMC journey. CMMC is just the next step.
As Kelser's manager, engineering services, I follow CMMC developments.
In this article, I will explain what CMMC is, how it differs from NIST 800-171, and what steps you can take now to gain a competitive advantage and prepare for a successful CMMC assessment.
What is CMMC?
CMMC is the next step in cybersecurity requirements for defense contractors and their suppliers. It requires self or independent, third-party assessment of defense contractors and subcontractors to rate the organization’s compliance with CMMC requirements.
CMMC is expected to begin being phased in during 2023. Once CMMC is fully implemented, (likely to happen in 2025,) an organization’s certification level will determine its eligibility to bid on a government contract or subcontract.
What Is The Goal Of CMMC?
The U.S. military complex faces constantly changing cyber threats every day. For example, there was no such thing as ransomware 15 years ago.
CMMC is designed to protect information shared within the U.S. DIB and the contract information necessary to produce the parts, systems, and components needed for our national defense.
CMMC ensures continuous monitoring and upgrading of cybersecurity to thwart any country or person acting with malicious intent.
The main goal of CMMC is to validate safeguards and practices to provide increased assurance that companies are meeting cybersecurity requirements. In particular, it is designed to protect controlled unclassified information (CUI) and federal contract information (FCI).
What Is CUI?
CUI is unclassified information that is created or possessed by the U.S. Government or an entity on behalf of the Government that, being relevant to the interests of the United States, requires safeguarding from unauthorized disclosure or dissemination controls.
What Is FCI?
FCI is information provided by or generated for the U.S. Government under contract that has not been or is not intended for public release.
Check out this infographic to learn more about the difference between CUI, FCI, and Public Information.
How Is CMMC Different From NIST 800-171?
In essence, it really isn’t that different if you handle CUI.
NIST 800-171 is a set of standards for protecting and distributing sensitive material. It serves as a baseline for the CMMC framework.
CMMC focuses on assessments, both from companies themselves (as appropriate) and from certified third-parties, to give increased assurance that companies are satisfying the cybersecurity requirements outlined in the NIST 800-171 baseline.
Once the latest version of CMMC (known as CMMC 2.0) is fully implemented, which is expected to happen in 2025, organizations that don’t meet minimum CMMC level requirements for a given contract won’t be able to bid.
The sooner you implement practices to meet cybersecurity requirements, the better. Having consistently performed processes in place that support these requirements will reduce your risks of non-compliance in an assessment.
Keep in mind though, this isn’t a one-time exercise.
Whether your company requires a third-party assessment every three years or not, you still have to self-assess and affirm your compliance annually. Continuous monitoring of security controls and regularly reviewing and adjusting your procedures are required elements of maintaining that compliance.
When Will CMMC Take Effect?
Expect to begin seeing CMMC requirements in contracts as early as May 2023.
The steps to become CMMC compliant could take months or longer to achieve. The sooner you start preparing, the better off you will be.
Depending on contract requirements, CMMC 2.0 may require a certified third-party assessment.
Some CMMC Third-Party Assessment Organizations (C3PAOs) are beginning to conduct voluntary assessments of companies that believe they are compliant and are looking to obtain certification earlier.
My advice to contractors and subcontractors is to begin preparing now for assessments based on the existing CMMC frameworks that have been outlined.
What Do I Need To Know?
While the initial CMMC structure had five levels of certification, CMMC 2.0 has only three:
- Level 1 (Foundational - for FCI)
- Level 2 (Advanced - for CUI)
- Level 3 (Expert - for companies working with CUI on DoD’s highest priority programs)
Organizations will be required to self-assess and self-attest for Level 1 certification. An external, third-party assessor will examine and test your organization's demonstrated with requirements to determine if your organization can be certified for CMMC at Level 2 or 3.
There are 14 CMMC controls, which mirror those outlined in NIST 800-171. While only a few of these areas are relevant to Level 1, (which is based on self-assessment and self-attestation,) they are all relevant to Levels 2 and 3.
Each level of certification builds upon the prior and represents increased levels of cybersecurity compliance and potential capability.
How Best To Prepare For CMMC
Some of the changes necessary to achieve compliance will take time to implement and to become part of your company culture. Start now. Begin assessing gaps, finding best practices, remediating as necessary, testing and re-assessing.
First Steps Toward CMMC Compliance
Here are some initial steps you can take toward CMMC compliance:
-
-
What Information Do You Handle?
Figure out if you handle CUI or FCI.
-
-
-
Confirm Your Appropriate Certification Level
Based on the types of information you handle and the requirements of your existing contracts, determine what level of certification to target.
-
-
-
Compare Current Practices To CMMC Requirements
See how your current practices and processes stack up to those outlined in the CMMC levels to prepare for your CMMC readiness audit.
-
-
-
Plan To Address Gaps
Develop a realistic plan to address gaps that exist. Consider organizational impacts, budget requirements, cultural shift, implementation timeline, and track progress milestones toward the target.
-
-
-
Document New Processes And Practices
Remember this is a continuous process. -
Test, Validate, And Document Results
Keep your processes current and make sure you test, validate and document results as you go.
-
Is your organization ready for CMMC 2.0? Click on the link below, download the free checklist to learn 5 actions to take today to make sure your business is ready for CMMC 2.0.
CMMC Compliance Next Steps
Once you've taken the initial steps, here are some next steps to consider:
-
-
Evaluate Your Internal Team
-
Do they have extensive cybersecurity experience? Can they execute and maintain the requirements of your target CMMC level? How will taking on CMMC impact your current resources? Will you need additional team members to achieve and maintain certification?
-
-
If Relevant, Evaluate External Resources
If you aren’t confident in your internal resources and their ability to provide CMMC-related services, consider other options.
If you currently work or decide to explore working with external resources, ask questions about their capabilities. Examine their cybersecurity capabilities, experience, and certifications.
-
An external IT support provider skilled in CMMC compliance can review your current cybersecurity status and guide your progress. An extra set of external eyes can often quickly identify gaps in your processes.
Here are some best practices to keep in mind when evaluating a potential external IT partner, including key questions to ask.
What Could Happen If I’m Not Prepared?
If your organization doesn’t meet minimum CMMC level requirements, you may be unable to bid on contracts and lose revenue. In extreme cases, you could even face business closure. You also may expose your business to other cyber threats.
By starting now, (if you haven’t already,) you’re heading toward a more secure future.
Though the requirements for CMMC are thorough, they don’t have to be overwhelming. They will put your company in a better, more secure position.
Get Started With CMMC Preparation Now
After reading this article, you have a full understanding of CMMC, how it relates to NIST 800-171 and why it’s important to get started with CMMC preparation now.
You have concrete first steps and next steps to take to ensure that your organization is prepared to meet compliance requirements and achieve the appropriate level of CMMC certification.
You may have a full complement of IT experts on staff who can handle this for your organization. If you have a small staff or have no staff at all, an experienced external IT support provider can help.
If you are considering working with an external provider, we encourage you to include Kelser among your options and to evaluate several options to ensure you work with one that is the right fit for your organization.
At Kelser, we provide managed IT support that includes the services of a cybersecurity expert. We know managed IT support isn’t the right answer for every organization which is why we write informative, unbiased articles like these.
We believe in providing the honest information business leaders like you need to keep your business safe - no matter how you choose to do it.
Not sure managed IT is right for you? Find out in this article that compares managed IT and break/fix options.
Wondering what it costs and what’s included? Learn the answers to those questions in this article.
Or, click the button below, fill out the form and one of our IT experts will contact you within 24 hours to explore whether we are a good fit to work together.
