CMMC: Cybersecurity Maturity Model Certification

The Compliance you Need to do Business with the DoD

Service Areas / Governance, Risk, and Compliance / CMMC: Cybersecurity Maturity Model Certification

Are you ready?

Threats to US DoD and contractor information systems continue to grow. Katie Arrington, Chief Information Security Officer for the Assistant Secretary of Defense Acquisition claims that with over 70% of DoD data living in contractor networks, the US Government recognizes that the previous self-certification is no longer sufficient to protect the US DoD information systems. Prior to the CMMC mandate, all vendors would self-certify on their compliance status to DFARS 252.204-7012. This self-regulation ultimately caused security posture gaps in many defense contractors. The DoD needed a stricter policy to ensure the security of these vendors, and thus, the CMMC was formulated. 

When fully enforced, CMMC certification will be critical in order to bid on, win, or deliver work on defense contracts and related projects. Complying with CMMC is paramount to your business. Given the potential impact to defense contractors, it’s no wonder firm after firm has popped up claiming to be ready to evaluate a customer environment for CMMC.  

What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for all existing and new contractors for the Department of Defense (DoD) to help ensure that these suppliers and vendors meet high-security standard requirements. The regulation for contractors was previously based DFARS 252.204-7012, which identified NIST 800-171 as the security standard.  

As a part of the CMMC, all contractors are assessed by a Certified Third-Party Organization (C3PAO) and deemed as compliant before they can continue their DoD contract or be awarded a new one.  High-priority contractors will begin around June 2020 and others will follow later in 2020.  

Levels and Descriptions

The certification is built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. It consists of 5 levels to measure the cybersecurity practices of contractors. 

CMMC levels and descriptions
Source: www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf

Not only does your organization need the CMMC to continue any contracts with the DoD, but it’s never a wrong time to take another look at your cybersecurity posture. You need a partner that knows the compliance landscape and has the niche experience of working with federal third-party vendors. Without the right partner, your ability to quickly onboard this initiative with your existing cybersecurity program will prove to be challenging and overwhelming for your existing resources. 

How MindPoint Group can help?

With years of experience in compliance, MindPoint Group can help you navigate the complexities and requirements of the certification. MindPoint Group is closely monitoring the progress of the Office of Under Secretary of Defense for Acquisition & Sustainment OUSD(A&S), and we have the advantage of potentially becoming a C3PAO for the CMMC because we already meet the FedRAMP CP3AO requirements. As a Third-Party Assessment Organization (3PAO) for the FedRAMP program, we are familiar with working with Agency Authorizing Officials (AOs), Joint Authorization Boards (JAB), vendors, and program management offices to ensure that our clients fulfill the security requirements. Once the AB finalizes the required documentation templates, we will offer Gap Assessments and the following services to help you navigate the process:   

  • CMMC pre-assessment/gap assessment 
  • CMMC assessment  
  • CMMC SSP and POA & M document preparation 
  • NIST 800-171 implementation 
  • CMMC consulting and audit

As the program is not yet finalized, we are offering consulting and informal assessments based on the latest draft version of the certification Model.  

Additional Resources

Schedule your free discovery session