In 2020, the US Department of Defense (DoD) released the newly created Cybersecurity Maturity Model Certification (CMMC) Framework in an effort to standardize and improve cybersecurity practices within the Defense Department and Defense Industrial Base ecosystem. By October 1, 2025, as a condition of being awarded a business contract, every organization that intends to do business with the DoD will be required to comply with, be assessed against, and obtain at least a Level 1 Cybersecurity Maturity Model Certification. Additional levels of certification (1-5) may be required by the DoD, and are specific to increased access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What is the CMMC?
So, let’s look a little deeper into this new baseline standard, CMMC – HITRUST defines it as:
“The United States Department of Defense (DoD) has mandated that all organizations doing business with the DoD, regardless of size, industry, or level of involvement, have the maturity of their cybersecurity operations independently certified against the newly established Cybersecurity Maturity Model Certification (CMMC) Framework. Governed by an overarching Accreditation Body, the CMMC program aims to enforce the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring every contractor to be audited by an independent third-party auditor or CMMC Third-Party Assessment Organization (C3PAO). Up until now, contractors have struggled to secure their expanded supply chains with inconsistent cybersecurity practices.
The CMMC cannot be obtained via self-attestation but must instead be validated by an authorized third-party assessor, all of which are governed by an Accreditation Body. In addition to overseeing all assessor and consulting firms, the Accreditation Body provides CMMC-specific training and issues certifications.”
The Impact of the CMMC
“Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense,”— Katie Arrington, Chief Information Security Officer for DoD’s Office of the Assistant Secretary of Defense for Acquisition.
The impact doesn’t stop with just those 300,000 contractors, as third-party assurance is another critical area subject to CMMC requirements. This means Contractor organizations cannot afford to wait to begin conversations with third-party vendors with whom they share access to sensitive DoD information. In these cases, third-party organizations’ risk and compliance posture must be evaluated, as they will also need to meet the CMMC controls required of them by the DoD and obtain certification.
Fortunately, the CMMC Framework was designed to be attainable for all organizations and is an allowable reimbursable cost. There are several levels of certification, each with increasing granularity and rigor with regards to controls. The requirements vary from level one to level five, level one being the most basic controls and level five being the most advanced. Each contract released for bids by the DoD will have a level of CMMC associated with it, corresponding directly to the inherent risk posed by the contract; only organizations with the appropriate level of CMMC will be considered for projects.
The CMMC framework has already been released, with multiple iterations to continue to be released as the DoD works to fine-tune the included controls within the first version. However, it’s meant to be a continuously evolving, living document that adapts to meet new emerging threats.
Organizations that are currently under contract with the DoD are now required to look at earning their CMMC prior to the end of their contract, as this could be a deciding factor as to whether or not your contract will be renewed or placed back into the market for bids. The DoD started including mandated CMMC levels associated with contracts in June 2020, and by 2025, the appropriate level of certification will be non-negotiable for organizations wishing to continue to do business with the DoD.
Readiness and Preparedness
At Lark Security, we want to ensure that our clients are aware of the level of impact generated by the CMMC and exactly what it means for them. We help organizations streamline and simplify their own CMMC requirements, as well as third-party management, ensuring that everyone is doing their part to protect sensitive data. We provide the knowledge and tools to identify, assess, recommend, and validate your compliance audit readiness.
As a HITRUST Certified Assessor, Lark Security is well equipped to help your organization understand and prepare for the CMMC. For some time now, we’ve been working to ensure that our comprehensive and integrated suite of solutions closely align with the stringent requirements of the CMMC and offer full support to organizations preparing to achieve the certification.
Additionally, those who have already achieved a HITRUST CSF Certification, should be able to determine the additional control requirements needed to achieve the CMMC by leveraging MyCSF and performing an assessment specific to the delta in scope and requirements. It is critical that entities have the ability to leverage existing investments made in information risk management and compliance programs including existing assurance reports, developed using a comprehensive methodology, in support of CMMC.
Lark Security has years of Compliance, Risk Management, and Cybersecurity expertise to assist your organization in preparing for and achieving the Cybersecurity Maturity Model Certification. Beginning with a readiness assessment and gap analysis, Lark Security delivers customized roadmap and preparedness plans for your organization’s journey to certification. Our decades of engineering and information technology experience ensures we can assess and remediate all aspects of a client’s environment, ensuring a smooth path to success and certification.
On April 14, 2021, we’re starting our new Webinar Series on compliance. Keep an eye out for the announcement, as we’ll be kicking things off with a 3-part series on the CMMC:
Part 4: Date TBD – HITRUST Certified Assessment & how to get there (applied towards CMMC)
Part 5: Date TBD – HIPAA Compliance
We hope to see you there, as we discuss these crucially important topics and how compliance will affect your business.