What is the Cybersecurity Maturity Model Certification (CMMC)?

What is the Cybersecurity Maturity Model Certification or “CMMC”? How will the CMMC impact my business and what can I do to plan for the roll-out? What is the timing of the CMMC? Today, we explore all of these items in detail.

What is the CMMC?

The CMMC will be a new requirement for existing Department of Defense (DoD) contractors, replacing the self-attestation model previously mandated by NIST DFARS and moving towards formal third party certification. This will also apply to sub-contractors and the expectation is that going forward, all government RFPs will stipulate the required CMMC level of the bidder.

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are in place to protect controlled unclassified information (CUI) that resides on the DoD’s industry partners’ networks. The certification will be based upon and incorporate existing requirements such as DFARS 252.204-7012, NIST SP 800-171, NIST SP 800-53, private sector contributions, and input from academia. While the final guidance has not yet been finalized, the expectation is for 5 levels of maturity ranging from “Basic” to “Advanced” with the expected security controls prescribed for each of the levels.

What should my company do to plan for the CMMC?

As discussed, the expectation is that self-attestation will be going away and all contractors will be required to have a third-party assessment performed to determine their maturity level. There is no guidance yet on who will be authorized to perform these assessments. However, there are things you can begin doing today:

  1. Review the provisional guidance and look to determine what level of maturity you will strive for.
  2. Prepare a POA&M to lay out a plan for implementing the necessary requirements to meet your desired level.
  3. Keep a pulse on the CMMC guidance to ensure you are aware of key deadlines and timelines for implementation.

What are the key CMMC milestones?

Below are the expected key milestones for the Cybersecurity Maturity Model Certification implementation and roll-out, however, they are all still tentative and subject to change:

  • January 2020 – Official release of version 1.0 of the rule.
  • June 2020 – Included in Requests for Information.
  • September 2020 – Included in Requests for Proposals.

Have any questions that we didn’t discuss? Interested in learning more about how we can assist? Contact us today!