February 19, 2020

    Do DoD Contractors Need Cybersecurity Maturity Model Certification?

    The Cybersecurity Maturity Model Certification (CMMC) was a big announcement for the defense industry, and contractors for the Department of Defense who manage controlled unclassified information need to start preparing for major changes that will come as part of this process.

    As a provider of government compliant data sharing software solutions, FTP Today has kept a close eye on the impact of CMMC and the impact it will have on government data compliance solutions. 

    The CMMC framework aims to standardize cybersecurity efforts and better protect government data in the hands of contractors. While there are still details emerging about the process, contractors should start preparing to earn their certification as they learn more about the requirements.

    Here is what you need to know before pursuing your Cybersecurity Maturity Model Certification.

    What is the Cybersecurity Maturity Model Certification?

    The CMMC is a certification designed by the Department of Defense to enhance cybersecurity efforts within the defense industry. The CMMC combines portions of different government security guidelines as a standard for assessing the maturity of a company’s cybersecurity efforts. 

    The CMMC has specific implications for defense contractors for the way they handle controlled unclassified information (CUI), based on the maturity level they fall under. The CMMC will allow for the DoD to award contracts to companies that have been assigned the maturity level appropriate for the security needs of the contract. We’ll discuss the different maturity levels below.  

    One important note: the CMMC is essential for government contractors, but subcontractors will also need to prepare to obtain this certification regardless of how much CUI they have access to. The CMMC will be a mandatory regulation in the government cybersecurity arena. 

    Why Was the Cybersecurity Maturity Model Certification Created?

    As you’ve likely seen in the news over the past few years, cybersecurity breaches are becoming more frequent. The CMMC framework was the result of a few high profile breaches that compromised sensitive DoD information. The result has been a reassessment of security controls contractors much have in place to prevent these types of breaches in the future. 

    In May 2019, the DoD announced the CMMC initiative, making this still a relatively new effort for many defense contractors. While details are still emerging, it’s important for contractors to start taking action to improve their cybersecurity efforts now. 

    Protecting CUI is essential for the government and the contractors they work with. This sensitive data, if it falls into the wrong hands, could bring serious consequences for the DoD, its contractors, and even American citizens. 

    Regardless of the amount of CUI a contractor or subcontractor handles, it’s vital that the appropriate steps are taken to protect this data. CMMC certification aims to address any gaps or discrepancies in the security measures contractors have in place to protect CUI.

    How will CMMC Influence Other Existing Compliance Frameworks?

    One challenge faced by defense contractors is adhering to the multiple cybersecurity standards published by the U.S. government. Wading through the standards, determining which ones apply to your business and which do not can be time-consuming and expensive.

    The CMMC framework makes that process a bit easier by combining relevant portions of various cybersecurity standards into a single standard. It borrows from the following security standard publications:

    • NIST SP 800-171
    • NIST SP 800-53
    • ISO 27001
    • ISO 27032

    It also takes a different approach to measuring the effectiveness of a company’s cybersecurity efforts. Instead of a list of boxes to check ensuring every standard is met, the CMMC requires a more comprehensive and qualitative look at your security controls

    By assessing the maturity of a company’s security efforts, the CMMC gauges the degree to which the company has implemented security best practices and processes.

    How Does the CMMC Certification Process Work?

    What are the steps for CMMC certification

    While we know maturity levels will range from “Basic Cybersecurity Hygiene” to “Advanced,” there are still a few details about the certification process that has yet to be released. Though this is still a new endeavor for the DoD, here are a few things we already know:

    • You’ll work with an independent third party, approved by the DoD, to schedule your CMMC assessment. You will not be able to assess yourself for certification. This must be done by an approved third party. 
    • You will specify the level of certification you want to be assessed for (based on your business requirements.)
    • If you meet the appropriate standards, you will be awarded certification for the maturity level you specified. 

    Here’s one important detail we don’t know yet: the cost. The certification cost has not been released, but expect it to reflect the maturity level you wish to obtain (i.e. the higher the maturity level, the higher the cost).

    How Do I Prepare for the CMMC?

    The CMMC won’t take effect until later this summer. Although we are waiting for more details to come out, there are still a few steps you can take to prepare for your CMMC assessment. 

    First, do a self-assessment of your security measures. What’s working, and where do improvements need to be made? When you’re regularly assessing your security measures, you’re able to keep them up to date and address weaknesses before problems arise. 

    Next, do an assessment of your customers. Since your CMMC maturity level will impact the types of DoD contracts you’re awarded, understanding the cybersecurity needs of your customers will be important. Think about the customers you have now and the ones your business will be targeting in the future, and use that information to gauge what CMMC maturity level you need to work toward. 

    Finally, stay up to date on CMMC developments. Since CMMC will not take action and be required for RFPs until June 2020, expect more details to come out the closer we get to that date. As we approach the implementation of the Cybersecurity Maturity Model Certification, be proactive about the process. With the right measures in place, obtaining the right maturity level will be easy.

    Want to fine-tune your cybersecurity efforts in alignment with government standards? See how FTP Today can help you prepare your organization by downloading this free guide on ITAR compliance.

    itar compliance guidelines

    Tag(s): Government

    Martin Horan

    Founder of Sharetru (Formerly FTP Today) and a respected voice in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.

    Other posts you might be interested in

    View All Posts