How to prepare for the Cybersecurity Maturity Model Certification
Chances are firms that do business with the U.S. Department of Defense have heard about the upcoming Cybersecurity Maturity Model Certification (CMMC) by now.
Released by DoD in January 2020, in essence, CMMC is a mandated security framework for organizations seeking to provide services to the agency. Once fully rolled out, all DOD-contracting organizations must be compliant with CMMC standards, and those that are not might be shut out of DOD business.
Firms doing business with DOD already have the responsibility of implementing and protecting their systems that hold or transmit Controlled Unclassified Information, and they are required to self-attest that they do so.
The CMMS difference: Once fully implemented, CMMC will require third-parties to assess these firms’ compliance with a fresh set of standards.
CMMC version 1.0 said an organization can become certified at one of five levels, from Level 1, Basic Cyber Hygiene, to Level 5, Advanced/Progressive. Each of the five levels has an increasing number of practices and processes that an organization must implement to be considered in compliance with that level. Most organizations will probably seek Level 3, Good Cyber Hygiene.
To achieve certification, an organization will need to select a Level and have its certification validated by an independent assessor, known as a CMMC Third-Party Assessment Organization (C3PAO).
Since January, changes have already been discussed.
For example, members of the Senate and House armed services committee have since added provisions to the fiscal 2021 Defense Authorization Bill requiring firms to meet at least Level 3.
What should organizations do to prepare now?
TalaTek recommends implementing NIST Special Publication 800-171 requirements, if they haven’t already, given that CMMC borrows heavily from this NIST publication.
TalaTek also recommends performing a NIST 800-171 gap analysis. A gap analysis can determine if a firm is meeting 110 out of the 130 required practices.
Firms should also visit the CMMC FAQ on the Office of the Under Secretary of Defense for Acquisition & Sustainment website. This website contains the latest information on CMMC as it’s made public.
Finally, organizations needing assistance can contact TalaTek. TalaTek can accelerate an organization to CMMC compliance by helping implement NIST 800-171 requirements and create the necessary documentation.