Compete for DoD Contracts with CMMC Compliance

Businesses who have filled contracts for the DoD in the past know that improved cybersecurity standards for suppliers have been a long-standing goal for federal regulators. Once it comes into effect, the latest version of these standards, the Cybersecurity Maturity Model Certification (CMMC), will be required for all federal suppliers, and any contractors they source work to. Here’s what your business needs to know.

Why is CMMC compliance important?

The Center for Strategic and International Studies estimates that, in 2017, cybercrime was responsible for an economic loss of as much as $600 billion worldwide. The DoD recognizes this as a significant threat to the American economy, especially those cybersecurity attacks targeting the Defense Industrial Base (DIB) and the DoD supply chain.

With the loss of intellectual property being of particular concern, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has developed the Cybersecurity Maturity Model Certification to harden security standards and prevent data breaches.

What is the purpose of the CMMC standard?

CMMC is designed to protect two specific kinds of information:

  • Federal Contract Information (FCI). The federal government protects information regarding its contracts—both details generated by the government and those provided by contractors.
  • Controlled Unclassified Information (CUI). CUI encompasses any data that is sensitive in nature but that does not require federal clearance to access. This includes personally identifiable information, technical drawings, legal documents, and other intellectual property.

CMMC outlines practices and procedures businesses must take to protect FCI and CUI if they intend to work with the DoD or any other federal agencies that adopt these standards.

How should businesses prepare for CMMC?

CMMC is built off previous security standards, so if your business hasn’t started an work on NIST SP 800-171 compliance, you will likely have a long way to go before you are ready for CMMC certification.

Current DoD suppliers must have posted a NIST SP 800-171r2 adherence score in the U.S. Government’s SPRS system, which requires a client to generate a System Security Plan and include a POAM (if necessary). This score is required by DFARS rule 252.204-7019. Visit the official rule context for more information.

While the CMMC standards are finalized, businesses intending to work with the DoD must perform a self-assessment in order to determine their Supplier Performance Risk System (SPRS) score. The SPRS score must be accurate, as there are penalties if a business claims a score and then fails to meet those standards under audit.

In order to attain an SPRS score, businesses must first have a System Security Plan (SSP) and a Plan of Actions and Milestones (POAM). These documents are highly detailed, and usually require a security expert to complete. If you do not have someone trained in compliance on your staff, be prepared to call in a compliance consultant.

What should your business expect from the CMMC process?

Many businesses are facing pressure to adapt these measures and achieve certification quickly. However, the certification process is very involved, and businesses will have more success if they approach the process with realistic expectations. Here are the top five things you should know as you begin working with a CMMC consultant.

1. Businesses should know what CMMC level they need for their business model.

The level of CMMC certification required for a business varies depending on how much contact that business will have with FCI and CUI. In some cases, businesses need only follow basic procedures. At the highest level, requirements are strict and will require a significant and ongoing investment from the company.

Graphic showing the five levels of CMMC compliance.

2. The process to achieve CMMC can take up to twelve months… or in some cases longer.

Businesses cannot meet CMMC standards overnight. In fact, it could reasonably take most businesses at least a full year to be initially qualified for certification. If your business plans to bid on DoD contracts, it is imperative that you begin working towards satisfying the requirements of DFARS 252.204-7012, NIST SP 800-171r2 and a CMMC Maturity Level as soon as possible.

3. Achieving CMMC will require active participation by the company.

Many companies expect to be able to hire an outside contractor to bring their systems up to CMMC standards for them. However, the active participation of the company and implementation of standards, practices, processes, and procedures is required to achieve—and maintain—compliance.

At Brightline, we work closely with our clients, explaining the full CMMC process, walking through their infrastructure, looking at their technical controls, and reviewing policies that demonstrate how the control is being enacted. We can assist in moving the process forward, but, per CMMC requirements, the client is responsible for implementing its new cybersecurity policies.

4. Final CMMC will be awarded on a pass/fail basis.

In the past, it was considered sufficient for businesses to to document their intent and plan to meet requirements (by providing an SSP and POA&M) in order to be qualified to accept DoD contracts. SPRS scores are a step beyond this, which will require businesses to demonstrate the progress they’ve made. In its final iteration, CMMC will require a business to be fully certified in a CMMC maturity level before it can be awarded a DoD contract.

5. Maintaining CMMC standards is an ongoing process.

Companies are often under the impression that meeting CMMC requirements can be left to the IT department. However, practicing cybersecurity hygiene is a more holistic process which must incorporate multiple departments from HR to Operations. Employees must be trained in the appropriate procedures, security awareness protocols, and new workflows must be designed to ensure the controls are followed.

Seeing this process through requires a “compliance manager” who can work on maintaining CMMC requirements. Some standards require continuous monitoring, review, tasks, and documentation. Also, cybersecurity threats and standards are constantly evolving. Businesses who pass these standards will be certified for three years, but without an individual or group monitoring and maintaining compliance requirements, an organization is likely to fail future audits.

Businesses who are proactive in meeting CMMC standards will have an advantage in bidding on government contracts.

Past cybersecurity standards only required self-assessments and the maintenance of an SSP and a POA&M, but without federal auditors to ensure the standards had been enacted, compliant businesses were at a competitive disadvantage: Those who dedicate resources to meet these standards were bidding against other companies who claimed to have security initiatives in place but had never demonstrated proof. It also left vulnerabilities in the effort to protect CUI.

As CMMC begins to be enforced, all businesses contracting with the DoD will be required to have certification to a certain level depending on the nature of their contract. Level 1 is equivalent to FAR 52.204–21, so businesses who have already achieved this standard independently will have a head start over those just beginning the process.

Most non-prime contractor businesses will need to meet Level 3 standards, which includes all 110 controls of NIST SP 800-171r2, plus an additional 20 controls specific to CMMC. Implementing these controls will take a concerted effort by any business required to demonstrate compliance. However, CMMC certification will offer significant competitive advantages to business by only allowing certified organizations to bid and accept government contracts that involve CUI.

Brightline is a Registered Provider Organization (RPO) for CMMC services.

If you are ready to prepare your business for Cybersecurity Maturity Model Certification, we can help. Brightline is now a Registered Provider Organization (RPO), and our team includes two Registered Practitioners (CMMC-RPs) who have been certified by the CMMC Accredition Body, and who can work with your business to guide you towards satisfying requirements that will need to be met in order for your organization to earn a CMMC certification.

Contact us today to get started.