What is CMMC?
CMMC is the cybersecurity framework established by the U.S. Department of Defense to protect the country’s defense supply chain and improve the overall security of the defense sector. CMMC – Cybersecurity Maturity Model Certification – was designed to ensure that government contractors working within the DoD’s supply chain at all levels maintain the security of the information they handle, transfer, and store. The certification will ensure that all players within the defense industrial base (DIB) have the systems and protocols in place to protect controlled unclassified information (CUI) and contract details from both domestic and foreign cyberthreats.
Now in its second iteration (version 2.0 was released in November 2021), CMMC is based on three levels of compliance: Foundational, Expert, and Advanced. Of the estimated 300,000 companies that fall in to this new security framework, a vast majority will require Level 1 or Level 2 certification.
Level 1: Foundational
At the foundational level, contractors must implement 17 security practices that safeguard the assets that process, store, and/or transmit Federal Contract Information (FCI). Compliance is guaranteed through an organizational self-assessment that is certified by company leadership.
Level 2: Advanced
Level 2 requires more advanced cybersecurity methods of those companies that are a part of the defense industrial base (DIB) and manage controlled unclassified information (CUI). Organizations at this level must engage in 110 unique cybersecurity best practices that are aligned with National IST SP 800-171*. Some companies at this level will be required to conduct a third-party assessment every three years to certify their compliance. Others will certify compliance through an annual self-assessment similar to the process required at Level 1.
Level 3: Expert
At the most rigorous level of certification, Level 3 of the CMMC is reserved for those companies handling controlled unclassified information for DoD’s highest priority programs. While the specifics of the security requirements at this level are still in development, certification of cybersecurity maturity at this level is likely to require the 110 best practices called for at Level 2 plus some of the security practices contained in the NIST SP 800-172. Contractors seeking certification at this level will also require government assessment of their compliance.
Why Should You Care?
Does your company bid on government contracts within the DIB? If so, then this new security framework applies to you. The first contracts requiring CMMC compliance were signed in 2020, but all applicable companies within the supply chain are required to have certification by 2025.
The Government Accountability Office recently found that many defense contractors undergoing an audit in recent years failed to meet the cybersecurity standards forming the basis of the CMMC requirements. This raises alarms because organizations within the DoD ecosystem, especially the small and medium businesses that make up approximately three-quarters of relevant contracts, are increasingly targets of focused and sophisticated cyberattacks
The heightened threat levels are certainly a compliance issue and a business continuity issue. But from the 30,000 ft perspective, it is also a national security issue. So while CMMC compliance won’t be required in all DoD contracts until 2025, we’re strongly encouraging all clients with relevant contracts to start the process of shoring up your organization’s cybersecurity infrastructure now, making full compliance at the relevant level an achievable goal by the 2025 deadline. Efforts now can also potentially improve your place in the DoD contractors ecosystem in the near term.
How Can ITeck Help?
Daunted by the CMMC compliance process? That’s a totally normal (and understandable) response. We are here to support SMBs contracting with the DoD as they pursue CMMC certification. We handle the burden of compliance while also improving your security infrastructure and protecting your organization from today’s cyberthreats.
ITeck’s approach is to supplement your internal IT resources with our experience and CMMC readiness program to help ensure the critical information you handle meets security standards and your organization is ready for any required audit. ITeck approaches CMMC readiness in three phases.
Strategic Planning
In our initial CMMC planning consultation we work together to establish a shared understanding of what your compliance needs are and your timeline for achieving them. Our CMMC experts can help answer any questions you have about the certification process and provide you with insight on how the CMMC framework will impact your organization and its business continuity in the long term.
Gap Analysis & Plan of Action
Once we have a strategic plan in place, we will work with your team to assess the current status of your security structures and processes to discover and analyze any gaps or risks to compliance. With this information in hand, we can collaboratively design a Plan of Action with key implementation milestones, specific tasks, and budgeting implications, ensuring that your organization is ready for certification when it’s required.
Security Enhancement & Remediation
With your Plan of Action in place, our team will support you in the implementation of the plan and meeting key milestones. Together, we will overcome any compliance gaps, mitigate any risks to CMMC compliance and support your internal resources to improve overall organizational cybersecurity infrastructure, protocols, and procedures.
Ready to get CMMC Prepared?
Improve your company’s cybersecurity and achieve compliance