CMMC: What You Need to Know

What It Is

The Cybersecurity Maturity Model Certification (CMMC) is a unified security standard for establishing strong cybersecurity infrastructure and practices across the Defense Industrial Base (DIB). This updated set of requirements builds on and improves the currently existing NIST standards to effectively address cybersecurity vulnerabilities across the 300,000+ organizations in the DIB.

Timeline

The DoD first released the CMMC standards in January 2020, following up in September of the same year with a self-assessment requirement for all current or potential government contractors, due November 30th, 2020. These announcements were the beginning of a five-year CMMC rollout, culminating in the final deadline of October 1st, 2025. After that date, all DoD contractors must meet CMMC requirements.

While this may seem like a far-off deadline, cybersecurity improvements can take time and money, and the November self-assessment deadline shows that there may be other required milestones to hit well before 2025.

On Nov. 4, 2021, the Department of Defense announced the enhanced CMMC 2.0 with “the goal of safeguarding sensitive information while:

Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements;
Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and
Increasing Department oversight of professional and ethical standards in the assessment ecosystem.”

Five Levels of Compliance

The CMMC has five levels from Basic Cybersecurity Hygiene all the way up to Advanced/Progressive cybersecurity strategies. Depending on the company and the contract in question, contractors will need to comply at the relevant cybersecurity level for the work they’re doing. Learn more about these levels by downloading the 6 Steps to CMMC Readiness guide below.

Note: Although this section lists the five levels from Basic to Advance, it does not mention the levels for CMMC 2.0 which are; Level 1 (same as CMMC 1.0 Level 1), Level 2 (CMMC 1.0 Level 3), and Level 3 ( CMMC 1.0 level 5). Click here to learn more.

The CMMC evaluates the following cybersecurity domains, all of which need to have at least Basic Cybersecurity Hygiene to be CMMC compliant::

Access control
Asset Management
Awareness and training
Audit and accountability
Configuration management
Identification and authentication
Incident Response
Maintenance
Media protection
Physical protection
Personnel security
Recovery
Risk management
Security assessment
Situational awareness
System and communications protection
System and information integrity

What Should I Do Now?

All DoD contractors, including small businesses, commercial item contractors, foreign suppliers, educational entities, and anyone interested in doing business with the DoD will need to assess their compliance ASAP.

In today’s world and especially when working with sensitive DoD-related information, cybersecurity is non-negotiable. Businesses must immediately begin the process of improving their cyber infrastructure and complying with the CMMC requirements so they’re not left behind in coming years.

TCecure Offers CMMC Compliance Services

TCecure offers a free guide: CMMC: What You Need to Know that includes 6 Steps to CMMC Readiness! If you follow these steps, your business will be in the right position to meet CMMC’s requirements and comply with possible additional deadlines. Sign up below to receive this free essential CMMC guide!

In addition, the TCecurity Compliance Manager (TCM) ensures our clients can perform self assessments, manage compliance, and improve long-term cybersecurity. This tool is customized for the client’s budget so your organization gets the help it needs. Learn more here.