If your company does business with government contractors, you’ve likely heard of the Cybersecurity Maturity Model Certification (CMMC). If you’re new to CMMC, here’s what it means in a nutshell. CMMC is the mandated requirements set by the government and the Department of Defense for manufacturers and companies in the Defense Industrial Base. The goal is to ensure adequate cybersecurity protections are in place for the contract information shared by the government.
If it sounds like a mouthful, you’re right! But in the end, it is important to continue to do business with them. The government wants to make sure the supply chain companies it works with are protecting their information. CMMC is essentially designed to make sure manufacturers and companies uphold and certify to a certain level of cybersecurity maturity and hygiene.
The manufacturing industry was one of the first to be hit hard with the new standards, but it will in fact be trickling down to other industries.
What was in place prior to CMMC?
Prior to CMMC, defense contractors were expected to meet the DFARS assessment and NIST 800-171, which continues to be an exceptional benchmark for cybersecurity measures. While NIST 800-171 was great, there lacked a certain level of accountability. So, companies were able to operate on a “pinky-swear” model. A self-attestation model. Companies could basically fill out a questionnaire and while you were required to document all the compliance and agree to meeting all 110 security controls, there was no scrutiny attached to it and hackers exploit this over and over again.
Which is why CMMC was introduced.
Understanding CMMC 2.0
There’s a 2.0? What about 1.0? CMMC 2.0 is a shift in requirements from the original CMMC standard. The government realized meeting CMMC for many small businesses was going to be burdensome. CMMC 2.0 is a simplification and reduction of the overhead required for smaller organizations. So, take a deep breath. Before you stress out trying to understand and meet CMMC, let’s look at what CMMC 2.0 means and what it means for you.
While the DOD still appears to be making the determination and nothing is finalized or set in stone yet, previous statements suggest that you can self-attest but will need a high-level executive within your organization to provide a statement of acknowledgement that you meet the requirements. This final piece is the accountability that was missing with NIST 800-171.
With CMMC 1.0, there were five different levels a company could meet. With CMMC 2.0 there are three.
How to move forward with CMMC 2.0
If you supply the DoD directly, or subcontract with someone who does, CMMC applies to you. Here’s how you can prepare your business:
- Understand what is required in the standard. There is a much higher level of accountability and checks/balances with CMMC. Be sure to understand the requirements and the clauses so you don’t make a false claim.
- Enlist a guide to help. CMMC 2.0 can be a beast to tackle. We don’t recommend you do it alone. Enlisting an experienced guide can help you understand the requirements.
- Make sure you are managing your supply chain. If you are working indirectly with the DOD, or working with subcontractors who do, make sure you are managing your supply chain both up and down to avoid risk and potential liability.
- Know who owns your CMMC 2.0 journey
Make sure you have a dedicated person that knows the requirements and knows what level you need to achieve. This person should also be the person to help you maintain your certification.
- Create a roadmap. Know your starting point, know your end goal, and create a roadmap to help you get from point A to point B.
CMMC is not just an IT issue.
Even though CMMC has to do with the security of your information, it is crucial to understand that CMMC is not just an IT issue. CMMC impacts everyone within the organization. As a business leader, it is important for you to understand that this a journey. It cannot be achieved by simply purchasing a piece of software. It is not a quick one-and-done kind of a thing. Because of this, it will be less of a headache for you, and you will thank yourself later if you start by integrating security into the way you do business.