<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Dave Bykowski

By: Dave Bykowski on September 21, 2021

Print/Save as PDF

Why Is It Important To Prepare Now for CMMC?

Cybersecurity | Compliance

Congratulations! You’ve implemented NIST 800-171. You have probably begun to put in place the processes you need to ensure your organization’s cybersecurity. Bad news: that doesn’t mean your job is finished. 

Cybersecurity Maturity Model Certification (CMMC) is the next generation of protection for data shared within the U.S. Defense Industrial Base (DIB). While CMMC is being reworked and version 2.0 won't be phased in for a while, steps you take now will give your organization a competitive edge.

I’ve spent nearly two decades in industry and have helped businesses just like yours stay on top of cybersecurity best practices and compliance standards. CMMC is just the next step in this journey. As Kelser's manager of information security and compliance, I walk businesses through the best way to prepare for the evolving cybersecurity landscape.

I follow CMMC developments daily. In this article, I will explain what CMMC is, how it differs from NIST 800-171, and what steps you can take now to gain a competitive advantage and prepare for a successful CMMC assessment.  

What is CMMC?

CMMC is the next step in cybersecurity requirements for defense contractors and their suppliers. It requires defense contractors and subcontractors to be assessed by an independent, third-party that will rate the organization’s cybersecurity readiness and the extent to which it is integrated into its culture. 

An organization’s CMMC level will determine its eligibility to bid on a government contract or subcontract. 

What Is The Goal Of CMMC?

The U.S. military complex faces constantly changing cyber threats every day. For example, there was no such thing as ransomware 15 years ago. 

CMMC is designed to ensure continuous monitoring and upgrading of cybersecurity to thwart any country or person acting with malicious intent.

CMMC will protect data shared within the defense industry to produce parts, systems, and components for national defense.

The main goal of CMMC is to validate safeguards and practices that ensure basic cyber hygiene and the protection of Controlled Unclassified Information (CUI).  CUI is information relevant to the interests of the United States that is not strictly regulated by the Federal Government. It includes sensitive, unclassified information that requires controls to ensure its safeguarding or dissemination.

Any company that possesses Federal Contract Information (FCI), will need to achieve a minimum of CMMC Level 1 certification, even if they don’t handle CUI.  

Check out this infographic to learn the difference between CUI, FCI, and Public Information.

How Is CMMC Different From NIST 800-171?

NIST 800-171 is a set of standards for protecting and distributing sensitive material. It serves as a baseline for the CMMC framework. 

NIST 800-171 tracks progress toward implementing cybersecurity measures and processes. CMMC will measure the maturity of those processes. Organizations that don’t meet minimum CMMC level requirements for a contract won’t be able to bid.

The sooner you implement cybersecurity procedures and processes, the better. The longer your processes are in place before your CMMC assessment, the more mature they will be and the higher level of CMMC you will achieve, which will qualify you to bid on more government contracts and subcontracts. 

Keep in mind though, it’s not just about having cybersecurity guidelines in place. Routine monitoring and tweaking will demonstrate your organization’s ongoing commitment to refining your cybersecurity protocols. 

When Will CMMC Take Effect? 

CMMC is expected to be fully phased in by 2025, which may seem like a long way off; but, it isn’t. 

The steps to become CMMC compliant could take months or longer to achieve. The sooner you start preparing, the better off you will be.

While no CMMC Third-Party Assessor Organizations (C3PAOs) are authorized currently to perform assessments, my advice to contractors and subcontractors is to begin preparing now for assessments based on the existing CMMC frameworks that have been outlined. We already know most of what the assessors will expect to see.

What Will Assessors Look For?

The CMMC structure has five levels of certification with Level 5 being the highest:

  • Level 1: Safeguard Federal Contract Information (FCI)

The minimum requirement is basic cybersecurity protection (i.e. antivirus software and physical security). While you may not have written procedures at this level, you have basic monitoring software in place.

  • Level 2: Transition step in cybersecurity maturity progression to protect CUI

Level 2 requires organizations to have cybersecurity policies, rules and processes written down. People leave and threats change. Written cybersecurity documentation is important to preserve a consistent cybersecurity posture.

And, much like a last will and testament, these documents need to be kept up to date. 

  • Level 3: Protect Controlled Unclassified Information (CUI)

At this level, assessors will want to see that cybersecurity processes are managed, tracked, and reviewed. They also will want to know that cybersecurity investment includes the necessary people and budgetary resources.

  • Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs).

Each level has its own set of expectations that also include any in the levels below it. Any DoD contract partner or supplier exposed to CUI will need a minimum of Level 3 certification.

How Best To Prepare For CMMC

Some of the changes necessary to achieve compliance will take time to implement and to become part of your company culture. Start now. Begin assessing gaps, finding best practices, remediating as necessary, testing and re-assessing.

First Steps Toward CMMC Compliance 

    • Figure out if you handle CUI or FCI. Confirm the appropriate "level" to target for certification.

    • Compare your current practices and processes with those outlined in the CMMC levels to prepare for your CMMC readiness audit.

    • Plan to address gaps. Consider organizational impacts, budget requirements, cultural shift, implementation timeline, and track progress milestones toward the target.

    • Document new processes and practices.

    • Test, validate, and document results.

    • Engage an IT managed service provider (MSP) skilled in CMMC compliance to review your current cybersecurity status and ensure your progress.

CMMC Compliance Next Steps

    • Evaluate your internal team

      Do they have extensive cybersecurity experience? Can they execute and maintain the requirements of your target CMMC level? How will taking on CMMC impact your current resources? Will you need additional team members to achieve and maintain certification?

    • If you currently work with an IT managed service provider (MSP), ask some similar questions about their capabilities.

      Review your current agreement with them and what it provides. Examine their cybersecurity capabilities, experience, and certifications. 

    • If you aren’t confident in your internal and external resources and their ability to provide CMMC-related services, evaluate other options.

      When looking for a new MSP, ask for recommendations from colleagues or groups that you’re affiliated with, and don’t forget the Internet! Search for highly reviewed MSPs as well as the best managed services providers near you. Here are some best practices to keep in mind when evaluating a potential MSP, including key questions to ask. 

      An extra set of external eyes on your processes can often quickly identify gaps that internal folks might miss. A trusted, local, reliable MSP partner can help prepare you for business-critical cybersecurity issues like CMMC. 

CMMC is a relatively new standard. You may need to explore other ways to successfully prepare to meet all it requires.

What Could Happen If I’m Not Prepared?

If your organization doesn’t meet minimum CMMC level requirements, you may be unable to bid on contracts and lose revenue. In extreme cases, you could even face business closure. You also may expose your business to other cyber threats. 

By starting now, (if you haven’t already,) you’re heading toward a more secure future.

Though the requirements for CMMC are thorough, they don’t have to be overwhelming. They will put your company in a better, more secure position.

Get Started With CMMC Preparation Now

Preparing for CMMC now will ensure that your organization will have mature cybersecurity procedures and processes in place before CMMC assessments begin, positioning you to bid on government contracts and subcontracts in the future.

Kelser understands how to prepare you for CMMC because we’ve helped other organizations get their cybersecurity protocols and compliance standards where they need to be. 

Ready to get started?

Talk to a Specialist


About Dave Bykowski

Dave Bykowski is Kelser's manager of information security and compliance. Dave's multiple certifications and nearly two decades of industry experience help him guide businesses in their journey towards cybersecurity and compliance.

Suggested Posts

Visit Our Learning Center