Last September, the Department of Defense released that it will amend the Defense Federal Acquisition Regulation Supplement (DFARS) and will require a Cybersecurity Maturity Model Certification (CMMC) in all defense contracts which will take effect five years from now, in 2026.
The purpose behind CMMC is for all DOD contractors, including subcontractors, to become the “unified cybersecurity standard” and can adequately safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It’s a “Maturity Model” in order to measure the maturity of an organization’s security posture, with respect to the best practices outlined by CMMC which is built upon existing cybersecurity standards such as NIST, FAR, and DFARS. Under this certification model, contractors will be required to be certified among the different CMMC levels (1-5), 17 capability domains, and 171 practices to be eligible for a contract.
The level of security for an organization is determined on the security requirement needs for each defense contract, so contractors will need to decide what CMMC level best suites their business operation. But the one item that is required is that all contractors must implement the 110 security controls set by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 on any information that processes, stores, or transmits controlled CUI and FCI.
CMMC will require contractors to obtain certification by an Authorized and Accredited Third Party Assessment Organization (C3PAO). A NIST SP 800-171 Assessment is to be completed on each contractor information system that would be handling CUI under the contract and performed within three years of the contract award, for the offeror to be considered for award of the contract.
There are still a ton of questions and concerns surrounding the CMMC framework, and we will continue to investigate how the framework will hit the global defense industry. In the meantime, here are 3 recommendations of how you can prepare for the CMC framework:
- Identify which CMMC level will be the most relevant to your organization and start reviewing how your current practices reflect the requirements from the chosen CMMC maturity level.
- Let your internal stakeholders know that there will be a cost to implementing potential new security controls and to the overall certification process.
- Perform an internal/external vulnerability assessment to see how well your organization has implemented the CMMC requirements, how well the requirements are documented and if the maturity is sufficient.
As a SOC2® certified, Managed Service Security Provider (MSSP), our team at LANAIR has already assisted several DOD manufacturers and Aerospace companies navigate through CMMC NIST 800-171 to become compliant and meet the cybersecurity requirements!
It’s a lot of information to take in and getting certified will not occur overnight, let us help your organization discover and classify all of the sensitive data you have, where it is located, and how it is being treated.
Send us an email to email@example.com to complete an internal/external vulnerability assessment based on CMMC and NIST Framework Guidelines prior to scheduling a CMMC assessment with a C3PAO.