Cybersecurity compliance is a critical concern for defence contractors and organizations working within the U.S. Department of Defense (DoD) supply chain. With the implementation of the Cybersecurity Maturity Model Certification (CMMC), businesses must understand what’s required to stay compliant and secure future contracts. Below, we answer some of the most common questions about CMMC compliance and certification.
What Does CMMC Mean?
CMMC stands for Cybersecurity Maturity Model Certification. It is a framework developed by the DoD to ensure that defense contractors implement the necessary cybersecurity controls to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
How Is CMMC Different from NIST?
While both CMMC and the National Institute of Standards and Technology (NIST) frameworks aim to improve cybersecurity, CMMC is a certification process that builds upon NIST Special Publication 800-171. Unlike NIST, which allows for self-assessments, certain CMMC levels require third-party audits for certification.
How Do I Get a CMMC Certificate?
Organizations must undergo an assessment by a Certified Third-Party Assessment Organization (C3PAO) to obtain CMMC certification. The level of certification required depends on the sensitivity of the data handled.
How Do I Comply with CMMC?
To comply with CMMC, businesses must implement the required security controls outlined in NIST 800-171. These controls include access controls, incident response, risk management, and encryption policies.
How Much Does CMMC Certification Cost?
The cost of CMMC certification varies based on the level required and the complexity of the organization’s IT environment. Estimates range from a few thousand dollars for Level 1 to tens of thousands for Level 2 or higher.
What Is the NIST Equivalent in Canada?
In Canada, the equivalent of NIST cybersecurity standards is the Canadian Program for Cyber Security Certification (CPSCS), which provides guidelines for businesses to protect sensitive information and meet security requirements. The CPSCS is based on NIST SP 800-171 as well, although the Canadian program considers Revision 2 of SP 800-171, whereas the US CMMC is based on Revision 2.
Does CMMC Only Apply to DoD?
Yes, CMMC is specifically designed for contractors and suppliers working with the DoD. However, other government agencies and industries may adopt similar frameworks in the future.
What Is the Difference Between ISO 27001 and CMMC?
ISO 27001 is an international standard for information security management systems (ISMS), while CMMC is a DoD-specific certification with defined maturity levels. Some ISO 27001 controls overlap with CMMC, but CMMC has unique requirements specific to defense contracts.
Can You Self-Certify CMMC?
Organizations handling only FCI at CMMC Level 1 can self-certify compliance. However, those managing CUI at Level 2 or higher must undergo a third-party assessment. Some Level 2 organziations will be allowed to self-certify, however, the majority are expected to require the third-party assessment.
Does CMMC Require an Audit?
Yes, most organizations requiring CMMC Level 2 or higher must pass an audit conducted by a C3PAO to obtain certification.
What Is the Difference Between Level 1 and Level 2 CMMC?
- Level 1 focuses on basic cybersecurity hygiene and applies to companies handling FCI. It consists of 17 controls.
- Level 2 aligns with NIST 800-171 and applies to companies handling CUI. It includes 110 security controls and requires third-party assessment.
When Will CMMC Requirements Show Up in My Contract?
CMMC requirements are being phased into DoD contracts. Organizations should monitor contract solicitations for CMMC clauses, as compliance will become mandatory for many contracts in the near future.
Am I Supposed to Have Some Kind of “Score” Uploaded to the Federal Government?
Yes. Organizations handling CUI are required to submit a NIST 800-171 self-assessment score to the DoD’s Supplier Performance Risk System (SPRS) now—this is a current requirement. The audit against CMMC Level 2 is the portion that will be coming online as CMMC is implemented.
What Do I Have to Do to Manage Downstream Subcontractors?
Prime contractors are responsible for ensuring their subcontractors comply with CMMC requirements. This includes verifying subcontractors meet the appropriate certification level for the data they handle.
I Don’t Know Anything About CMMC – How Do I Get Started?
Start by identifying whether your organization handles FCI or CUI. Review NIST 800-171 security requirements, assess your current cybersecurity posture, and begin implementing necessary controls. Working with a CMMC consultant can help streamline the process.
How Do I Control My Costs and Still Obtain My Certification?
To minimize costs, organizations should start early, focus on critical security gaps, and leverage existing security measures. Using managed IT services can help implement and maintain compliance efficiently. In addition, if your organization services both Defense and commercial clients, it may be possible to implement a restricted section for the handling of CUI called an enclave. Talk to a security professional about this option.
Need help with CMMC compliance? Convergence Networks can guide you through the process, from assessments to certification. Contact us today to secure your compliance and protect your contracts.
