What Do I Need To Do To Prepare For CMMC 2.0? Your Comprehensive Checklist
As the government continues to tweak the requirements for Cybersecurity Maturity Model Certification (CMMC) 2.0, many business leaders are scratching their heads and wondering how they can prepare now so they aren’t playing catch up once the requirements are announced.
The necessary steps could take months to put in place, so the Department of Defense is encouraging contractors and subcontractors to “continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway.”
We know everyone is at a different stage on the journey toward CMMC 2.0 compliance.
In this article, I’ll share steps you can take and provide a link to a comprehensive CMMC checklist you can use to self-assess your readiness for CMMC 2.0 and learn some concrete steps you can take.
What Is CMMC?
CMMC is a government framework designed to ensure that defense contractors and their suppliers have measures in place to protect sensitive information.
It is designed to enforce protection of sensitive unclassified information that is shared by the Department of Defense with government contractors and subcontractors that comprise the Defense Industrial Base (DIB).
CMMC requires defense contractors and subcontractors to rate their organization’s compliance with requirements either via self or independent, third-party assessments.
Once CMMC is fully implemented, (likely to happen in 2025,) an organization’s CMMC level will determine its eligibility to bid on government contracts and subcontracts.
What Is The Goal Of CMMC?
As cyber threats continue to evolve, CMMC 2.0 aims to ensure continuous monitoring and upgrading of cyber defenses to protect against any person or country acting with malicious intent.
It validates that safeguards and practices are in place to protect controlled unclassified information (CUI) and federal contract information (FCI).
What Is CUI?
CUI is unclassified information that is created or possessed by the U.S. Government or an entity on behalf of the Government that, being relevant to the interests of the United States, requires safeguarding from unauthorized disclosure or dissemination controls.
What Is FCI?
FCI is information provided by or generated for the U.S. Government under contract that has not been or is not intended for public release.
This infographic provides an easy-to-understand visual explanation of CUI, FCI, and Public Information.
How Are CMMC 2.0 Requirements Different From NIST 800-171?
The requirements aren’t really that different.
NIST 800-171 outlines a set of standards for protecting and distributing sensitive material and serves as a baseline for the CMMC framework.
CMMC 2.0 focuses on assessments (from the organization itself and from certified third parties) to provide increased assurance that organizations are satisfying the cybersecurity requirements outlined in NIST 800-171.
Why Does CMMC 2.0 Matter?
Once CMMC 2.0 is fully implemented, which is expected to happen in 2025, organizations that don’t meet minimum CMMC level requirements for a given government contract won’t be able to bid.
Why Take Action Now?
The sooner you implement practices to meet cybersecurity requirements, the better. This is true not only for compliance to CMMC 2.0, but also for protecting your organization’s data from hackers.
In addition, being able to show a history of consistently performed cybersecurity processes and procedures that support these requirements will reduce your risks of non-compliance in an assessment.
How Do I Get Started On CMMC 2.0 Compliance?
One of the best ways to get started is to perform a self-assessment of your organization’s current cybersecurity measures.
Use this CMMC checklist to see how your organization stacks up.
The next step is to figure out which level of certification is appropriate for your organization:
- Level 1 (Foundational - for FCI)
- Level 2 (Advanced - for CUI)
- Level 3 (Expert - for companies working with CUI on DoD’s highest priority programs)
The 14 CMMC controls mirror those outlined in NIST 800-171. Only a few of these controls are relevant to Level 1 certification, but all 14 are relevant to Level 2 and 3 certifications.
Level 1 requires annual self-assessment and self-attestation to compliance.
Level 2 and 3 certifications require annual self-assessment and attestation in addition to an external, third-party assessment every three years to examine and attest to an organization’s demonstrated compliance with the associated requirements.
Level 1 certification is required to qualify for Level 2 certification. Level 3 certification requires certification to both Level 1 and Level 2 requirements.
To retain any level of certification organization are required to perform continuous monitoring of security controls, regular reviews, and adjustment of procedures to reflect new security threats.
After reading this article, you have a full understanding of CMMC, how it relates to NIST 800-171 and why it’s important to get started with CMMC preparation now.
You have concrete first steps and next steps to take to ensure that your organization is prepared to meet compliance requirements and achieve the appropriate level of CMMC certification.
You may have a full complement of IT experts on staff who can handle this for your organization. If you have a small staff or have no staff at all, an experienced external IT support provider can help.
Or, click the button below, fill out the form and one of our IT experts will contact you within 24 hours to explore whether we are a good fit to work together.