CyberSecurity Maturity Model Certification (CMMC)

Are you ready for the CMMC?

Threats to US DoD and contractor information systems continue to grow. Katie Arrington, Chief Information Security Officer for the Assistant Secretary of Defense Acquisition claims that with over 70% of DoD data living in contractor networks, the US Government recognizes that the previous self-certification is no longer sufficient to protect the US DoD information systems. Prior to the CMMC mandate, all vendors would self-certify on their compliance status to DFARS 252.204-7012. This self-regulation ultimately caused security posture gaps in many defense contractors. The DoD needed a stricter policy to ensure the security of these vendors, and thus, the CMMC was formulated. 

When fully enforced, CMMC certification will be critical in order to bid on, win, or deliver work on defense contracts and related projects. Complying with CMMC is paramount to your business. Given the potential impact to defense contractors, it’s no wonder firm after firm has popped up claiming to be ready to evaluate a customer environment for CMMC.  

What is the Cybersecurity Maturity Model Certification?

The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for all existing and new contractors for the Department of Defense (DoD) to help ensure that these suppliers and vendors meet high-security standard requirements. Before the CMMC was announced in 2019, the regulation for contractors was based on DFARS 252.204-7012, which identified NIST 800-171 as the security standard.  

As a part of the CMMC, all contractors are assessed by a Certified Third-Party Organization (C3PAO) and deemed as compliant before they can continue their DoD contract or be awarded a new one.  High-priority contractors are expected to begin the CMMC around June 2020 and others will follow later in 2020.  

The certification is built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. The CMMC consists of 5 levels to measure the cybersecurity practices of contractors. 

Not only does your organization need the CMMC to continue any contracts with the DoD, but it’s never a wrong time to take another look at your cybersecurity posture. You need a partner that knows the compliance landscape and has the niche experience of working with federal third-party vendors. Without the right partner, your ability to quickly onboard this initiative with your existing cybersecurity program will prove to be challenging and overwhelming for your existing resources. 

How MindPoint Group can help

With years of experience in compliance, MindPoint Group can help you navigate the complexities and requirements of the CMMC. MindPoint Group is closely monitoring the progress of the Office of Under Secretary of Defense for Acquisition & Sustainment OUSD(A&S), and we have the advantage of potentially becoming a C3PAO for the CMMC because we already meet the FedRAMP CP3AO requirements. As a Third-Party Assessment Organization (3PAO) for the FedRAMP program, we are familiar with working with Agency Authorizing Officials (AOs), Joint Authorization Boards (JAB), vendors, and program management offices to ensure that our clients fulfill the security requirements. Once the AB finalizes the required documentation templates, we will be prepared to offer Gap Assessments and the following services to help you navigate the CMMC process:   

• CMMC pre-assessment/gap assessment 
• CMMC assessment (when CMMC is finalized) 
• CMMC SSP and POA & M document preparation 
• NIST 800-171 implementation 
• CMMC consulting 
• CMMC audit 

As the CMMC program is not yet finalized, we are offering CMMC consulting and informal assessments based on the latest draft version of the CMMC Model.  

Additional Resources

• Official Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC website 
• Article: What does the CMMC mean for defense contractors?  
• Escalating security across vendor contracting 

Schedule your free discovery session