What You Need to Know About Government CMMC Certification

Cybersecurity is critical for ensuring an organization’s digital data and infrastructure are responsive and safe from being breached.

The Cybersecurity Maturity Model Certification (CMMC) was created by the Department of Defense (DoD) and will be a new requirement for all contractors working directly with the federal government or with prime contractors (i.e. Raytheon, Northrop Grumman, etc). CMMC is replacing the self-attestation model beginning in 2021 and rolling out over the next five years for all contracts.

CMMC will be required from the many vendors in the federal DoD supply chain, and if you’re one of them, it’s time to begin preparing for the changeover.

During the recent Digital Agility Summit, Phil Keeney of Stambaugh Ness, gave an overview of CMMC, including how to know if your company requires the certification, how much time companies will be given to comply and the ramifications of becoming compliant.

This change will apply to you if your company works directly with the federal government and you handle:

• Federal contract information (FCI) generated for the government and not intended for public release;
• Controlled unclassified information (CUI), for instance transactional information, that needs to be safeguarded under government policies.

CMMC is a unified cybersecurity standard for future DoD purchasing. It’s a new framework to SP NIST 800-171 designed to secure over 300,000 contractors and protect DoD proprietary information.

Previously, government vendors confirmed via checklist that they had sufficient cybersecurity measures in place, but there was not an audit or confirmation that the information was true/correct. The new certification model is moving toward using CMMC-AB (Accreditation Body) for third-party registration, certification and compliance. Third-party certified auditors are also being equipped. The ultimate goal is to cover and secure existing issues within the Defense Industrial Base that made it vulnerable to cyberthreats.

CMMC will consist of five levels to measure the cybersecurity practices of contractors.

1. Basic cyber hygiene (17 practice areas)
2. Intermediate cyber hygiene (72 practice areas)
3. Good cyber hygiene (130 practice areas)
4. Proactive (156 practice areas)
5. Advanced/Progressive (171 practice areas)

Keeney explained that most companies will operate under level 1 or 3. He advised, regardless of what you’ve heard, that it could take upwards of 18 to 24 months to put everything in place you’ll need for your certification. Therefore, companies shouldn’t delay in taking steps to achieve CMMC.

Companies are urged to do their due diligence in assessing tolerance to cyberthreats. Take time to determine how quickly you need to recover from incursions and how quickly you can recover. It’s important to know your company’s vulnerabilities and which departments have a role in minimizing them. Certainly, more teams will be involved than just IT. 

With the constant barrage of cyberattacks around the world, most companies recognize the importance of resilience and are in the process of taking practical steps towards implementing cybersecurity.

Even if you’re not required to comply with CMMC, Keeney advised that you align your standards with NIST 800-171 “for the protection of your data as well as your customers’ data.”

---

As you map out important commitments toward implementing your cybersecurity plans, reach out to the Digital Transformation Team at Applied Software to help you identify NIST 800-171 compliant tools, like Panzura, that will best serve your needs.