What does the DOD’s new Cybersecurity Maturity Model Certification mean for your business?
As of this year, the DOD is rolling out a new certification standard for contractors, with the aim of tightening cybersecurity protocols and reducing vulnerabilities to possible cyberattacks. While various other regulations in the past have included cybersecurity components, the Cybersecurity Maturity Model Certification (CMMC) was developed specifically to address digital security concerns.
As with any new certification model, DOD contractors are eager to learn more of the details—specifically in relation to their own business. As a company heavily invested in NIST requirements and IT security compliance standards in general, we’ve been hard at work reviewing the news releases and documentation available thus far. Here are some of the key points businesses should be aware of as the certification standards begin to take effect.
1. CMMC will apply to all DOD contractors, but the roll-out will be gradual.
The first question most businesses have regarding CMMC is: Will I need this, and if so, when? There are several parts to this answer, so let’s begin with the easiest. The DOD is not adding CMMC requirements to existing contracts, so any work your business is currently conducting is bound by the same terms as before.
However, by the end of the year, at least 15 contracts are expected to contain CMMC requirements, and that number will rise exponentially with each subsequent year. By 2025, the DOD estimates that at least 479 contracts will have CMMC clauses, with over 48,000 certified contractors.
This means that, if you are a contractor working with the DOD—or a subcontractor working on DOD projects—you should expect these requirements to apply to your businesses sooner rather than later.
2. The CMMC Accrediting Body will designate C3PAOs to conduct assessments.
The DOD is still in the process of setting up the steps whereby businesses will be able to achieve certification. Currently, a 13-member accrediting body has been formed comprising members of the defense industry, the cybersecurity industry, and the academic community.
To date, no third-party accrediting organizations (C3PAOs) have been designated by the CMMC Accrediting Body. However, the Accrediting Body is currently working to define its roles and responsibilities to ensure that there are no conflicts of interests in how C3PAOs are able themselves to attain certification.
Following this, C3PAOs must be selected and then trained to provide certification for businesses that require it. Organizations who wish to become CMMC assessors should contact their local Procurement Technical Assistance Centers (PTACs) to be considered for training.
The PTACs will also be instrumental in helping to connect contractors to qualified C3PAOs once these organizations have been identified and the certification training process has been complete.
3. Businesses will be responsible for attaining certification through a designated assessor.
Businesses that wish to continue working on DOD contracts will be responsible for meeting CMMC requirements and attaining certification. To do so, they will have to contact a C3PAO and hire that body to review their security practices to ensure they meet the desired certification level.
Subcontractors will also need to demonstrate that they meet CMMC requirements before they can work with primary contractors on DOD projects, but they will not need to attain the same level of certification as their primary contractor. For instance, a primary contractor may need Level 3 CMMC in order to bid on a project, but if a portion of that project only requires Level 1 certification, then a subcontractor with that level of certification could handle that aspect of the project.
This is designed to help the CMMC roll out be as smooth as possible for businesses—especially small businesses—so that the delivery flow on DOD projects isn’t interrupted more than necessary.
4. Level 1 certification follows basic cyber security best practices—what you should be doing already.
If you’re beginning to feel intimidated by CMMC, don’t. While the DOD is prioritizing certification, many of the requirements should seem familiar to contractors who have worked with the DOD in the past. In fact, many of the requirements for Level 1 certification are modeled after FAR Basic Safeguarding Requirements.
These include basic cybersecurity best practices, such as having antivirus software installed on office computers, running regular software updates, and following strong password protocols. Since your business should be following these practices anyway, achieving Level 1 certification should be relatively painless.
5. Many CMMC requirements are very similar to NIST 800–171.
For businesses that are focused on achieving higher certification standards, current security protocols should once again provide a reliable roadmap, at least through Level 3 certification. Businesses that are required to achieve Level 4 or 5 certification can expect to provide proof of strict and thorough protocols, but fortunately, this certification level will apply to a minority of contracts.
The DOD depends on small businesses to fulfill contracts, and those that are quick to attain certification will have an advantage.
If there is anything that the DOD has repeatedly stressed while introducing this new certification model, it is that they want to make it as smooth as possible for small- and medium-sized businesses to attain CMMC. The DOD relies heavily on contractors of all sizes to accomplish its objectives, and any policies that might overly burden these businesses would run counter to its purposes.
However, the DOD also recognizes that cybersecurity is a crucial part of national security. Contractors who want to continue work with the DOD should prioritize certification if they want to keep their competitive edge. In doing so, they will be able to show how much of a priority cybersecurity is for their business—and that’s exactly the commitment the DOD wants to see.