Who does CMMC apply to?
Starting in September of 2020, companies who are going through the Department of Defense (DOD) procurement process are required to improve their cybersecurity hygiene. The DOD is requiring the Cybersecurity Maturity Model Certification (CMMC) for any company it conducts business with (including subcontractors). The required level will vary based on the contract and will appear in Requests for Information (RFIs) and Requests for Proposals (RFPs). The higher your level the more contracts that you would be eligible to apply for.
Who does CMMC not apply to?
Companies who build off the shelf products will not need to comply with CMMC. The DOD will specify the level of cybersecurity compliance needed in each contract.
How does CMMC apply to my company?
The CMMC builds on cybersecurity standards and best practices and maps those practices to 5 maturity levels ranging from ‘Basic’ to ‘Advanced’ cyber hygiene. The specific level requirements will vary depending on the contract and the company. The DOD’s goal is to increase the cyber hygiene of associated contractors while making sure the requirements do not disqualify anyone. As such, the cost of certification will be considered an allowable, reimbursable cost.
How does the CMMC differ from the NIST SP 800-171?
According to the CMMC site:
CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
What should I do now?
- Check any RFIs and RFPs for the required maturity levels.
- Contact someone like us to begin working towards meeting the underlying requirements of the CMMC and work your way up the maturity levels. The higher your level, the more contracts you would eligible towards. NIST SP 800-171 would be a good starting point for levels 1-3.
- Level 1 is equivalent to the practices in the Federal Acquisition Regulation 48 CFR 52.204-21
- Level 2 works up to include 48 practices within the NIST SP 800-171r1
- Level 3 encompasses the 110 security requirements of NIST SP 800-171
- After you have achieved the appropriate level, then schedule an audit with an independent 3rd party, certified by the CMMC Accreditation Body (CMMC-AB). Once CMMC Third Party Assessment Organizations (C3PAOs) are prepared, the CMMC-AB will publish a publicly available list of Assessors.
Looking for more information?
- You can find the dedicated website here
- We recommend starting with the following briefing
