What is CMMC?
Established by the Department of Defense (DoD), Cybersecurity Maturity Model Certification (CMMC) shows that appropriate levels of cybersecurity practices and processes are in place to protect sensitive data.
Within the next five years, any organization who desires to obtain a DoD contract (and most likely any government contract) will be required to have a CMMC. This includes the entire Defense Industrial Base of 300,000+ companies.
The CMMC compliance process maps cybersecurity best practices and processes to five maturity levels. Process levels range from Performed at Level 1 to Optimized at Level 5. In parallel, practices range from Basic Cyber Hygiene at Level 1 to Advanced and Progressive Cyber Hygiene at Level 5. The certification level required depends on the service that is provided by the company to the government. For example, a company who provides software or is privy to sensitive information will require a Level 4 or Level 5 certification.
To receive a CMMC certification, a company will need to meet the “controls” assigned to each certification level. The controls at each level are progressively more complicated and demanding of the company to meet. Companies should identify which CMMC certification level they need to avoid unnecessary preparation efforts.
Do I Need It?
Yes, if your company has contracts with the DoD or plans on obtaining contracts with the DoD. And, the sooner your company gets a CMMC, the more appealing your organization will be to Defense Pricing and Contracting (DPC) when they select who to award contracts to.
How Can I Prepare to Pass the Audit?
The best way to prepare to pass their desired level of certification when audited by a CMMC auditor is to conduct a Security Assessment. I recommend a Security Assessment that evaluates the cybersecurity and information technology hygiene of an organization using the CMMC framework as a guide. Since CMMC audit costs vary based on the time required by the auditor, a Security Assessment can greatly reduce the audit time, end cost, or even failing the audit.
A lesser option—but suitable for some companies—is to search out a vendor that provides CMMC compliance assistance. However, many of these vendors only provide templates that allow your company to satisfy the controls that concern cybersecurity and IT policies.
If your company requires Level 4 or Level 5 certification, having cybersecurity policies alone is not enough. You need active safeguards in place. A Security Assessment will help identify exactly what you need.