No certification pain, no contract gain. A relatively new and, some would say, arduous certification process aims to ensure contractors are meeting improved cybersecurity standards.
The Cybersecurity Maturity Model Certification (CMMC) is part of a Department of Defense (DoD) framework that requires a third-party vendor and supply chain certification to win or renew contracts.
How does the government maintain a high level of security across a network of over 300,000 contractors? Under most government contracts, defense contractors will now assume all IT-related cyber and security risks.
The CMMC is designed to improve the protection of controlled unclassified information (CUI) and covered defense information (CDI) within the supply chain. More than 70% of DoD data resides on contractor networks.
Defense contractors must prepare for these changes by identifying the maturity level they need, documenting internal processes, providing the DoD with feedback, and conducting proper third-party assessments.
But beware—this isn’t a “one and done” certification. Cyber agility is an ever-evolving systems process that will continually challenge contractors to audit and improve their organization’s security standards.
Released by the DoD on January 31, 2020, the CMMC is setting a new IT standard for the defense industrial base (DIB).
With hundreds of thousands of companies in the DoD supply chain, the CMMC requires contractors to submit third-party compliance of cyber assessments. In the past, contractors were tasked with monitoring their own IT systems, but as cyber threats became more widespread and sophisticated, the CMMC added an extra layer of security to the supply chain.
The primary goal of the CMMC is to protect and improve the security of controlled unclassified information (CUI) and federal contract information (FCI). CUI is information that requires safeguarding, and FCI is information unintended for public release. Both require enhanced protection and safeguards against pressing security threats.
The CMMC has established five certification levels to adequately protect sensitive government information across contractor information systems. They have also established domains that categorize contractor security within each level.
The five levels, starting at level one, build upon each other's technical requirements.
The CMMC framework consists of 17 domains. Domains have capabilities, and capabilities include practices and processes. CMMC requirements are organized by domains and capabilities—then each practice and process within them is designated by level.
The certification applies to all DoD prime contractors and subcontractors who provide services and materials to execute a contract.
DoD contractors will need to learn CMMC technical requirements, assessments, and mandatory contract procedures.
Here are basic steps to begin your CMMC journey:
Document. Audit and document all compliant practices or processes.
Plan. Develop and implement procedures to obtain the highest certification level possible. Prime contractors should also work with subcontractors to develop or update compliance programs.
Engage with agencies. Offerors should closely review requests for information (RFI) and request for proposal (RFP) documentation, and clarify any questions surrounding certification levels and accompanying requirements.
Challenge assessments. What if a certification level or audit result is erroneous? A low rating could place limitations on a contractor's ability to compete for work. At this time, a contractor does not have the right to appeal an audit. In the meantime, you as a contractor should provide your own feedback or recommendations surrounding due process procedures.
Reach continuous cyber agility. Although CMMC certification will be a minimum requirement for DoD contract award eligibility, achieving cyber-compliance will never be complete. The CMMC is a catalyst for changing contractors’ cybersecurity processes and internal requirements. All organizations should hold themselves to a higher security standard to ensure long-term defense contracting award success.
First, identify the maturity level your company needs to be audited for compliance. Then, find a certified third-party assessor organization (C3PAO) who will schedule your assessment with a certified independent assessor.
Upon completion of the assessment, the assessor will submit findings and recommendations to the CMMC Accreditation Body to certify that the organization seeking certification (OSC)—you—complies with the required CMMC maturity level.
Where do I find all of this information? Start Here
Attention defense contractors: don’t fall behind. With change comes growth, and adaptation is the key to government contracting survival.
As your organization works towards implementing critical cybersecurity requirements, you will need an accurate
and secure pricing platform.
In the ProPricer Services Contractor Edition pricing environment, users can be given full control, or they can be granted specific access, edit, add, and delete rights—meaning rate tables can be locked down, and hundreds of individual elements can be under a variety of control levels. Request a demo.
Keep your IT department agile. Improved cybersecurity plus CMMC Certification equals more contract awards.
Sources