Designed to allow for better assessment and pragmatic improvements to the cybersecurity posture of the US Defense Industrial Base (DIB), CMMC unifies existing legislation into a new set of cybersecurity best practices, mapping these best practices and processes to five Maturity Levels ranging from basic cybersecurity hygiene (ML1) to advanced cybersecurity practices (ML5).
Given the range and scope of the services being delivered by the DIB sector, the CMMC framework is designed to support suppliers with varying requirements for cyber hygiene, which will depend on the types of data they store and process as part of their contract. Each of the five Maturity Levels is cumulative, with the level of compliance being defined through each procurement. Notably the primary contractor will have to flow the relevant level of compliance with procedures and capabilities down to any sub-contractors that its organisation involves in fulfilling DoD contracts, although they may be able to certify at a lower level depending on their role in the contract.
Whereas in the past organisations could self-assess their compliance with the DoD’s cybersecurity requirements, going forward in order to close perceived gaps in assurance and ensure mandatory standards of compliance are maintained across the entire DIB the assessement must be completed by an independent Third-Party Assessor Organisation (3PAO). With around 15 procurement programmes being switched as of mid-2021, many businesses are expected to be affected by the changes and will need to be certified or risk losing the ability to bid for DoD contracts.
With the CMMC Accreditation Body recommending six months to prepare for certification, companies should look to get on the front foot now by reviewing CMMC requirements, identifying their desired Maturity Level to bid on contracts, assessing existing cybersecurity practices and running a gap analysis assessment. This proactive approach will provide for a smoother transition to the new operating model and mean that companies can accredit quickly and avoid exposure to contract risk.
Cyber Business Growth (CBG) has introduced a pre-certification Readiness Assessment that covers all the above steps to highlight any areas of compliance risk. Our specialist Consultants can further support your organisation to remediate identified gaps and implement the practices and processes necessary to align your security controls and policies with the CMMC framework required for your designated Maturity Level. Contact us to discuss how CMMC could affect your business and how we can help you prepare for certification.