If you're currently doing (or hope to do) business with the U.S. Department of Defense (DoD), you should be aware of its impending cybersecurity maturity model certification (CMMC) compliance requirement.
CMMC is designed to maintain the security of controlled unclassified information (CUI) stored on networks of DoD contractors. With nearly 300,000 contractors and sub-contractors in the DoD’s database, this requirement will have a profound effect on businesses in every state.
Demonstrating regulatory compliance with IT security issues and the handling, transmission, and storage of DoD data is nothing new for government contractors who, since 2015, have had to meet compliance requirements of the Defense Federal Acquisition Regulation Supplement (DFARS).
Only now, while defense contractors are still responsible for implementing these cybersecurity measures, the systems and processes they put in place are also subject to audits by third-party assessors. And by 2025, all DoD suppliers will need to achieve at least Level 1 CMMC compliance to continue doing business with the department.
Some Contractors Must Comply with CMMC Starting Now
Beginning in fiscal 2021, many businesses need to become CMMC compliant if they wish to submit a bid in response to a formal request for proposal (RFP) issued by the Department of Defense. The Pentagon is already including the requirement in some of its open contracts. As a result, it’s estimated that between 6,000 and 7,500 businesses are immediately affected and will need to achieve some level of CMMC compliance to win bids.
The CMMC model includes five levels, and each pertains to a different set of rules and practices. Depending on the contract’s needs and security concerns determines what level of compliance your organization will have to meet.
The 5 Levels of CMMC
- Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must already meet. The difference is that now contractors will need to demonstrate, rather than self-report, their compliance to third-party auditors.
- Level 2 requires you to establish and document practices and policies to guide the implementation of your CMMC efforts.
- Level 3 requires defense contractors to establish, maintain, and resource a plan that demonstrates the management of activities for practice implementation.
- Level 4 requires you to review and measure practices for effectiveness on a recurring basis, so your organization can take any necessary corrective action, and inform leadership of any issues
- Level 5 requires that you standardize and optimize process implementation across your organization, with a particular focus on protecting controlled unclassified information from advanced persistent threats.
The CMMC Compliance Guide Provides a Playbook to Achieve All Levels
Now that CMMC has arrived, organizations will no longer be able to self-report their compliance with DOD requirements as they have under DFARS. The Pentagon has raised the ante in terms of cybersecurity for contractors seeking to do business. The question is, what can your organization do?
Arctic Wolf’s CMMC Compliance Guide helps you identify which maturity level you’ll need to attain and how your organization can get there. Should you do everything in-house or outsource some of the responsibilities? How soon should you plan ahead to achieve the level you need? The CMMC Compliance Guide provides insight on these issues and more.