CMMC: The New & Enhanced Cybersecurity Model
Who Needs CMMC Certification, and Why?
If your organization is one of over 300,000 companies that does contract work in the Department of Defense (DoD) Supply Chain, you have probably heard about the new Cybersecurity Maturity Model Certification (CMMC) requirements enacted in January 2020. As its title suggests, CMMC is a maturity model, not the “check-the-box” type assessment that has been the standard up until now. In addition, CMMC also requires validation by an independent, certified third-party assessment organization (C3PAO), in contrast to the historical precedent of self-attestation.
The move to the CMMC assessment model is in response to the critical need to better protect the DoD supply chain from theft of intellectual property and sensitive information due to malicious cyber activity that threatens U.S. economic and national security. According to the CMMC Accreditation Body (CMMC-AB), “Cybersecurity is an existential issue for our nation. Our nation’s adversaries are increasingly recognizing that they do not need to attack us with expensive conventional kinetic weapons. They know they can destroy our economy and our freedom from afar with just two things – a computer and time.” Ron Ross, a fellow at NIST and author of cybersecurity publications used across the federal government, said of the state of U.S. cybersecurity, “We literally are hemorrhaging critical information [to our adversaries].” CMMC is aimed at stopping the bleeding.
When is CMMC Certification Required?
As of December 2020, the DoD has begun releasing the first contracts that require suppliers to meet CMMC requirements. The DoD and the CMMC-AB have been strongly urging DoD Supply Chain contractors (DSC) since January 2020 to start preparing for their CMMC Assessment (audit). Depending upon your organization’s complexity, current maturity level, and CMMC level of certification sought, it may take approximately 6-24 months to implement and document all the practices and processes that are required. In addition, you will need to prove that all CMMC requirements are part of your organization’s everyday culture and you must demonstrate institutionalized maturity for all required practices, processes, and procedures.
Katie Arrington, CISO for Acquisition and Sustainment at the DoD and the main force driving CMMC implementation, made it clear there were no temporary certifications: “It is go or no go.” Companies have been self-certifying that they comply with NIST 800-171 for several years, but Arrington said the stakes are too high and the Defense Department is now moving into a ‘trust by verify’ era. “Over $600 billion a year is lost through the theft of intellectual property, ransomware attacks and other cybersecurity disruptions,” Arrington said. “There is no more I’m going to get there next week. It is now. We can’t wait. Our adversaries aren’t waiting.”
According to Arrington, it’s expected that CMMC will soon be the security standard for the entire Federal Government (not just the DoD Supply Chain) and will likely be incorporated into Sarbanes Oxley (SOX) requirements in the near future.
How to Prepare for the CMMC Audit
The DoD is concerned that some contractors have a lack of understanding as to what is needed to pass a CMMC audit and are subsequently overconfident that they can pass the CMMC audit. The CMMC process can take a lot of time, planning, and resources. It’s important to note that the CMMC assessment is a pass/fail audit and can become quite expensive and time-consuming if your organization does not meet 100% of the requirements on the first (or subsequent) audit. Customers are strongly advised by CMMC-AB not to wait to start the process; otherwise, these organizations may find themselves unable to bid on DoD supply chain contracts and lose business to their competitors.
Why is Candoris an Optimal CMMC Certification Company?
The DoD strongly encourages organizations seeking CMMC certification to work with a CMMC Registered Provider Organization (CMMC-RPO) that is approved and trained by the CMMC-AB to help them prepare for the CMMC assessment. Candoris is one of the first CMMC-RPOs in the nation who can help conduct your CMMC Gap Analysis – a critical step to becoming CMMC certified – and help you with CMMC assessment preparation. We can be your trusted CMMC advisor to guide you through this complex process that can be confusing and daunting. What really sets us apart from other CMMC-RPOs is that we are a full-service technology firm that can provide security products, solutions, services, and technical consulting to help your organization close all identified CMMC gaps.
CMMC is finally here, and if you have not yet begun your preparation, the time to start is now. As a CMMC-RPO and a full-service technology firm, Candoris can be your one-stop shop for your CMMC solutions and audit preparation.