What is the Cybersecurity Maturity Model Certification (CMMC)?
According to the DoD, the CMMC combines various cybersecurity standards and best practices and maps these controls and processes across several levels that range from basic cyber hygiene to advanced.
For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level.
Source: DoD Department for Acquisition and Sustainment - https://www.acq.osd.mil/cmmc/
The Reality of CMMC
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirement for the Defense Industrial Base has impacted small businesses significantly. They face a considerable challenge in implementing the requirements for CMMC.
CMMC Doesn't Exist
This is a direct quote from our good friend at the Defense Acquisition University, Chris Newborn. It may sound odd, weird, wrong, or even crazy. But it is true and is an important distinction to make. Right now, until the actual lawmaking efforts are complete, CMMC does not exist. What does exist is DFARS 7012, 7019, and 7020. These are the current requirements: NIST 800-171, the DOD Assessment Methodology score, and the submission of your score to SPRS.
There is word from the DoD that companies that are able to get assessed by a C3PAO, before the rulemaking is done, will not have their three-year renewal window start until rulemaking is complete. This could be a 1-year to a 2-year increase in your renewal window. This would save time, and significant money spent on preparation, but also on the actual cost of having the assessment done.
CMMC Preparation Services
Becoming compliant with 800-171 is not easy. It is not quick. It is not cheap. Cybersecurity is a risk management investment. Many small business defense contractors are taking 12-18 months to fully implement all of the requirements, technology, culture changes, practices and procedures in order to be ready for their assessment. Delaying until the rulemaking is complete is a roll of the dice in a game you can't win. If you delay, you will be behind the curve, potentially losing competitive advantage, and the ability to do business with many of the large prime contractors that are expecting/requiring that their subcontractors are compliant ASAP or they will no longer do business with you.
KNC is here to help you, however you need it. We can compliment your existing team, or help manage the entire preparation process. Our goal is for you to do everything you want to, and for us to only help with what you do not want to do, or cannot do. We team with our client's as trusted partners. We provide our Red, White, and Blue Glove service to our clients and treat them as friends.
At KNC Strategic Services, we take a Risk-Based Approach. The general assessment principle we follow is that if documentation and evidence is nonexistent then the practices and processes are non-existent, and the internal control environment is ineffective.
We are actively supporting the Defense Industrial Base as it prepares for the up-and-coming CMMC Assessments.