Cybersecurity Maturity Model Certification (CMMC) is a new framework developed by the Under Secretary of Defense for Acquisition and Sustainment to help protect the DoD supply chain which is currently experiencing significant cybersecurity risk.
Previously, NIST 800-171 has been used to reduce the risk of cybercrime across the Defense Industrial Base. This approach is flawed as it tries to put cybersecurity in a one size fits all solution. Cybersecurity is not a one size fits all solution and therefore should not be managed as such. Data must be protected in accordance with the risk posed by Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC outlines five maturity levels that align domains, processes, capabilities, and practices with the specific sensitivity of the data (FCI or CUI).
CMMC is a 3rd party accreditation that must be delivered by a CMMC Third Party Assessment Organization (C3PAO). These organizations can be verified at CMMC-AB.
Registered Provider Organizations (RPO) and Registered Practitioners (RP) are trained resources that have been registered to provide non-certified consultative services. This means that the RPO and RP are not allowed to perform the official CMMC Certification as this process must be completed by a third party free from any conflict of interest. Silotech recommends verifying C3PAO organizations before selecting, performing and paying for a certification audit.
RPOs are organizations that have been reviewed and verified and operate by a code of ethics set forth by CMMC-AB. RPOs can be verified at CMMC-AB and should have the RPO badge visible on their website, email, or other social media outlets.
Who is CMMC for?
Cybersecurity Maturity Model Certification (CMMC) is for any and all DoD contractors (Prime or Sub) who are in support of the Defense Industrial Base (DIB) that transmit CUI. If your organization does not transmit CUI but possesses FCI, the organization is required to comply with FAR clause 52.204-21 and must be certified at least CMMC Maturity Level (ML) 1.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products will not require a CMMC certification.
Why is it important? How will it impact my business?
It is estimated cybercrime costs over 600 billion dollars annually from global GDP. According to statista.com the Federal Government lost over 13.74 billion dollars in 2018 due to cybercrime. This impact has driven the DoD to rethink the way they manage their cybersecurity risk. Their response is CMMC regulation requiring Prime and Sub Contractors to become independently certified by C3PAO assessors.
CMMC certification is a 3rd party verification of controls, policies, and processes performed within your organization. Each ML has different controls that must be performed. It is imperative to know that any control that is required and not supported via evidence to the auditors constitutes a failure and will not be certified. Each ML also has its own process so be sure your organization knows the ML level required, is prepared for that ML assessment, and has evidence in order to prove the process or control is in place and operating as expected.
Many organizations are still trying to understand the CMMC process. Trying to defog all the smoke around this regulation can be a hassle. It is imperative that your organization does not wait to start their CMMC journey. Delaying your certification can impact your ability to compete for Government projects. In 2020 15 contracts are projected to require CMMC and identified MLs. This requirement will be for prime contractors and subcontractors. Do not let the lack of this certification be the reason your organization does not grow in 2021. Lastly, CMMC suggests operating at your ML for 6 months before scheduling your assessment. This will allow your organization the best chance to have all the evidence necessary to provide compliance to your specific ML.
The CMMC lifecycle starts with the understanding that organizations need expert help to facilitate their journey through CMMC certification.
Best practice for organizations is to start by visiting CMMC-AB at cmmcab.org/marketplace/ to select a CMMC provider in your local area. You can search by name, city, or state. CMMC-AB provides this tool to help organizations ensure they are working with properly trained companies. Organizations should reach out to RPOs and ensure they have RPs attached to their profile. This can also be done at cmmcab.org/marketplace/.
CMMC-AB requires that RPOs have been vetted, verified, and confirmed by CMMC-AB as an organization that has been trained to perform self-assessments, has RPs attached to their organization, and has been given all the latest information on CMMC regulation as it pertains to obtaining your independent certification.
What do I do?
What can Silotech do to help?
Silotech is an RPO and can be found in the CMMC-AB marketplace at: CMMC-AB Marketplace
Our RPs follow these basic steps:
As an RPO, we will assist and support your organization in identifying gaps within your necessary maturity level. Silotech can: