It’s coming. That’s the first thing you need to know about the CybersecurityMaturity Model Certification, or CMMC. If your company does work for U.S.Department of Defense (DOD) contracts in any way - from tier I contractors down to the smallest widget maker - you need to be knowledgeable about this accreditation process.
Because the bottom line is CMMC will be required for contract award.
In this article, we’re covering the basics – what is CMMC, how it affects you and what are the next steps to prepare for CMMC.
It’s important to view CMMC as a posture, the way a company practices cybersecurity hygiene. It’s not a checklist accreditation or a “one and done.” Instead, CMMC is about a progression towards security maturity.
In the Microsoft Technical Reference Guide for CMMC, this certification is described as “a unified standard for implementing cybersecurity across the DIB [Defense Industrial Base], which includes over 300,000 commercial companies in the supply chain” (p. 6).
CMMC came about as a proactive response to the increased cybersecurity attacks on ourcountry, as a whole and as individual entities.
The CMMC Accreditation Body (CMMC-AB) oversees the vetting, training and accreditation of the third-party assessment organizations (3PAOs). The CMMC-AB defines itself as “the sole, authorized accreditation and certification partner of DoD in its CMMC program.”
Once approved by the CMMC-AB, the 3PAOs will evaluate companies’ cybersecurity practices and assign their CMMC levels.
An organization’s CMMC level will be reassessed every 3 years. (Since cyberterrorists improve their nefarious ways, we must heighten our efforts continually too.)
The CMMC is a scale of 5 levels of compliance, with level 1 being the most basic security routines and level 5 demonstrating the most advanced and stringent controls.
CMMC Level 1 is equivalent to the requirements in the Federal Acquisition Regulation (FAR)48 CFR 52.204-21. Currently, every company fulfilling contracts with the DOD already meets this level; the practices outlined in FAR 204-21 are foundational for keeping information secure.
The Level 2 designation encompasses level 1, while adding 48 additional controls from the National Institute of Standards and Technology (NIST) SP 800-171 r1. Level 2 is transitory for companies aiming for Level 3 and beyond.
Levels 1and 2 are designed to keep Federal Contract Information (FCI) secure. They are considered the basic and immediate levels of cybersecurity maturity.
Level 3 is a big leap in maturity, though; it’s where more rigorous practices are implemented to secure not only FCI but Controlled Unclassified Information (CUI).
For this reason, Level 3 seems currently to be the optimum certification, especially with contracts coming out in 2021 and 2022. This level includes the requirements from FAR 204-21 (as in Level 1), ALL practices outlined in NIST800-171 and 20 more security practices. If Levels 1 and 2 are deemed basic and intermediate, Level 3 is considered “good” cybersecurity hygiene.
Level 4, the “proactive” step, adds the Draft NIST SP 800-171B and 15 more hygiene practices. That comes to a total of 156 cybersecurity practices to earn Level 4 designation.
Obviously,Level 5 is the walking dog of the CMMC. It requires 171 cybersecurity measures – everything in the first four levels, plus more advanced, often automated, controls. As Phil West stated in the Start Your CMMC Compliance on the Right Foot webinar, “[This level of cybersecurity] moves you up the food chain so to speak.”
Everyone.
Okay, not everyone.
But any company in the DIB supply chain – every company accessing, creating, storing and disseminating FCI and CUI – is affected.
And at the time this article was written, CMMC is required before bidding on a government contract. The timeline currently stands as: (1.) CMMC level designation (2.) bid (3.) award (4.) Defense Federal Acquisition Regulation Supplement (DFARS) self-attestation, if required for the particular contract.
October 2025 is the date when all contracts will be expected to meet their specified CMMC levels. (Remember, though, some contracts are already being released with a CMMC level designation.)
So, what are the next steps to prepare for CMMC? First, you’re already moving in the right direction by reading this article.
Second, we strongly suggest migrating to Microsoft GCC or GCC High if your company has not already done so.
By migrating to Microsoft’s government cloud, Microsoft shares the responsibility of security with you. In other words, Microsoft’s teams have already built in many controls to help with CMMC certification and work to maintain the cloud infrastructure.
(Of course, there are many routines and practices required for CMMC, and Microsoft can’t guarantee a company’s security rating. But, it’s nice not going it alone!)
As a Microsoft partner who specializes in cloud migration, we’d love to speak with you. Contact us to book an appointment to talk about how your organization is readying itself for CMMC.
Resources:
CMMCAccreditation Body. (2021, May 26). CMMCFrequently Asked Questions. https://cmmcab.org/faq/
Microsoft.(2021, September) MicrosoftTechnical Reference Guide for CMMC: Accelerate Your Journey to CMMC with theMicrosoft Cloud. https://www.microsoft.com/en-us/download/details.aspx?id=103401
Meacham,P., West, P., & Meyer, W. (n.d.) StartYour CMMC Compliance Journey on the Right Foot [Webinar]. Microsoft.https://info.microsoft.com/en-us-ondemand-StartyourCMMCcompliancejourneyontherightfoot-none.html
Wakeman,Richard. (2020, October 28). AcceleratingCMMC Compliance for Microsoft Cloud (In-Depth Review): October 2020 Update. https://techcommunity.microsoft.com/t5/public-sector-blog/accelerating-cmmc-compliance-for-microsoft-cloud-in-depth-review/ba-p/1825671