CMMC: The new security standard for the DoD (and others?)
Monday May 31, 2021
If you do anything with Department of Defense (DoD) contracts, you are probably already familiar with the new Cybersecurity Maturity Model Certification, or its abbreviation CMMC. The DoD is rolling out the program in phases over the next several years. For DoD Fiscal year 2021 (FY21) only about 1% of the contracts will require CMMC certification, but by FY26, it is expected that all new DoD contracts will require all primaries and subs to be certified.
CMMC is layered into 5 levels – from 1 (Basic Cyber Hygiene), to 5 (Advanced/Progressive Cyber Hygiene). However, a firm that reaches level 3 (Good Cyber Hygiene) will be able to qualify for about 98% of all DoD contracts.
The great thing about the CMMC model, is that it is largely based on a well-known and fairly straight forward security standard, the National Institute of Standards and Technology (NIST) standard 800-171. This standard relies on a self-assessment of 110 security controls that an organization should implement. Once a firm reviews how they measure up against the standard, they can then develop a System Security Plan (SSP) that documents their existing systems and processes, and details how they plan to correct those out-of-compliance findings.
The mere act of completing a self-assessment and writing the SSP will allow a contractor to work on most CMMC required contracts for 3 years. So doing the NIST 800-171 self-assessment and putting together the SSP, is almost always the first step in getting qualified to work on CMMC contacts.
By the end of the 3-year window, a firm is expected to have implemented its SSP and be compliant with its target CMMC level (again largely, but not entirely, based on NIST 800-171). At that point, an outside firm known as a CMMC Third Party Assessment Organization, or C3PAO, must certify the organization as compliant. This is mandatory for all CMMC certifications, but the DoD has cost allowances for the certification.
The step from NIST 800-171 to CMMC compliance should be a comparatively small one – the main hurdle will be the initial NIST 800-171 compliance. While assessing and developing an SSP may be somewhat straight-forward, straight-forward does not equate to easy. Documenting your systems and processes, comparing how well they hold up against the 110 security controls, and designing a plan to get compliant is a detailed and laborious process.
While large firms will likely already have a security plan and team in place that will be able to handle this as an incremental load on their duties, small firms may be challenged to find not only the resources to implement NIST 800-171, but also the capable staff to undertake this effort. Fulfilling that need will certainly see many new businesses sprouting up over the next few years to help with CMMC implementations.
From a future looking perspective, there are a couple interesting aspects to the NIST 800-171/CMMC requirement. First, NIST 800-171 is a general standard that can be applied to most small, medium and large businesses. This compares to a patchwork system of industry specific standards that are often confusing and ill defined, which, in turn, do not lend themselves to commonality. So NIST 800-171 may fit the need for a common standard. Second, this broad implementation of the NIST 800-171 by over 200,000 DoD contractors in the United States, could evolve into a standard for non-DoD businesses as well. It would not be surprising to see cyber insurance companies, lenders, or contracting businesses inquiring as to how compliant a firm is with NIST 800-171 (or its successor) before conducting business.
SpotLink, with over 20 years as a technology infrastructure and security expert, has executed many high-level security compliance implementations and supported even more outside audit verification processes. We stand ready to help our DoD contractor clients, and any other clients who want to implement a security program along these standards, get through this new requirement and rejuvenate them into a more mature and capable organization.
CEO & Founder
Always a pleasure working with Vince. He is very conscientious and makes sure things are complete and working correctly.
Quick response, especially during the Holiday Season, for a lower priority item.
We are very satisfied with the service that Spotlink has always offered us. both the person who answers the phone and the technicians who assist us are always very professional. In specific Patrick has always been very efficient and knows our system and facilities very well.
Vince is great! Comprehensive review, providing solutions and alternatives. Thanks Spotlink!
Kyle is kind to explain tech talk to someone who can't. I appreciate Bob and Kyle's prompt attention in keeping my business running at full speed, SPOTLINK IS AWESOME!!
I appreciate the fast response to my request. I feel much better now, knowing my files will be backed up regularly.
Thanks so much!
Service was prompt and the potential high risk threat was quickly neutralized.
Appreciate your professionalism and dedication.
Really really appreciate the proactive effort on your part. Thank you for keeping our stuff safe!
Always appreciate the professionalism and knowledgeable people at SpotLink who are so good at what they do!
The partnership and speed on this project represented exceptional collaboration.
Never enjoyed better support for my 15 year old business! Thanks Spotlink!