Why You Should Begin the CMMC Certification Process Now
The US Department of Defense (DoD) has been outlining, changing, altering, and fine tuning the Cybersecurity Maturity Model Certification (CMMC) program for more than three years. With more changes recently coming to light, the need for businesses to truly begin their CMMC certification efforts has never been greater.
Update, 8/1/2022 — In late July 2022, the Cyber AB (formerly known as the CMMC Accreditation Body) made a pair of announcements regarding the CMMC program.
First, Cyber AB announced that Voluntary Assessments have begun. These will be led by accredited third-party assessment organizations and the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and will convert into CMMC upon completion of CMMC Rule Making expected in March 2023. Second, the CMMC Assessment Process (CAP) was released in draft form. The CAP is what assessors will follow to ensure accurate and consistent assessments.
Both announcements drove home the fact that CMMC is rapidly moving forward and the time to tackle CMMC certification is now.
Before focusing on the most recent directives, let's quickly recap the development of CMMC over the past two-plus years. CMMC is a unified standard, designed to improve cybersecurity across the entire Defense Industrial Base (DIB) and the DoD’s whole supply chain. Both prime and subcontractors will need to meet the standard, which verifies have sufficient controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI).
CMMC 1.0 was unveiled in early 2020. You can read much more on the details of that first iteration and the role a CMMC Registered Practitioner plays in helping businesses assess their status here. But it’s important to note that this was just the first step. After 18 months of review and feedback, the DoD announced CMMC 2.0 in November 2021. You can view an in-depth examination of the new version here, but the major changes included:
-
Reducing the number of compliance levels
-
Aligning CMMC with existing standards
-
Allowing more self-assessments
-
Allowing POA&Ms to achieve certification
New to CMMC 2.0? Go in-depth with the changes issued in the security standard in late 2021 as Inversion6 outlines what was added, and removed, from CMMC 2.0.
Making Sense of the CMMC 2.0 Changes for Certification
Currently, the DoD is in the process of updating its Code of Federal Regulations to include the program’s most recent update — CMMC 2.0 in November 2021 — after an internal review. The rule is expected to be available for public comment in March 2023, and DoD officials have indicated you can expect to see CMMC tied to contracts as soon as the summer of 2023. Previously, CMMC was to be fully implemented by 2024 or 2025. Now, CMMC could be included in all new solicitations as early as August 2022, and no later than November 2023.
Speeding up the timetable of full implementation was just one of several notable changes for CMMC certification impacted by changes announced in July 2022.
Rolling Back Some Self-Assessments
DoD is cutting back on some of the self-assessment allowances it first instituted in CMMC 2.0. Companies dealing with less sensitive FCI will still only need to submit a self-assessment of their practices to meet CMMC Level One requirements. However, companies dealing with CUI, potentially as many as 80,000, will be required to endure a third-party audit in order to win defense contracts.
This change was driven by recent findings from the Government Accountability Office that found the majority of defense contractors audited in recent years failed to implement the standards that form the base of the CMMC requirement. Reports stated that of the approximately 20,000 companies entered in the DoD’s Supplier Performance Risk System (SPRS) website around 75% were NOT in compliance with the 110 security controls detailed in NIST SP 800-171.
Adding Teeth to Enforcement
Remember, CMMC 2.0 Level 2 is aligned with NIST SP 800-181. This means members of the DIB that handle CUI have no excuse for not being ready when the rulemaking process ends in early 2023. By then, the NIST SP 800-171 mandate will have been in place for more than five years. It’s expected the DoD will be aggressive in auditing CMMC 2.0 CMMC self-assessments, reported scores, POA&Ms, and remediation plays with less tolerance for errors or excuses.
To that end, the DoD has now added another qualifier to self-assessment. A corporate executive will have to sign a document attesting to the validity of the submission. If an audit turns out poorly — after such validation — organizations could face penalties related to the False Claims Act and individuals risk personal liability.
Move Forward with Confidence
Admittedly, digesting the evolving nature of CMMC 2.0 is a lot to handle. And many businesses are facing a host of questions they may not have answers for, confusion about their next steps, or how to respond to directors from a prime contractor asked for self-assessment status or CMMC certification.
It’s important to work with security compliance professionals well versed with the intricacies of CMMC. They can answer your questions, provide a path forward, and outline a blueprint to follow. Above all, businesses need to realize the time to take real action toward CMMC certification is now. Companies that haven’t self-assessed or loaded/updated their profile in SPRS will be left behind. Competition will be fierce to line up third-party audits and assessments. And the time to do so is rapidly dwindling.
So, what should your business do first? Here’s a quick game plan:
-
Focus on NIST — NIST SP 800-171 is your true north, it’s the basis for the controls in place for CMMC 2.0 Level 2. If your contracts have included clauses for the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7019, 7020 and 7021), you’ve been striving for NIST compliance (and thus CMMC) compliance all along.
-
Don’t Worry About the Noise — Despite multiple changes and how they can impact various aspects of CMMC certification, the most important steps remain conducting a NIST self-assessment and then uploading those results to SPRS. Then update your score there when appropriate. Without these steps, you’ll be left out of the game entirely.
Taking those steps will alleviate much of the pressure and concern surrounding CMMC certification for many businesses dealing with the still tenuous nature of the new standard.
Go Deeper with Inversion6: In this webinar, we break down everything you need to know, including impacts on your business while preparing for CMMC certification.
How Pursuing CMMC Certification Strengthens Your Business
Adjusting to the changes in the CMMC certification process can leave many businesses wondering if the work and resources needed to reach it will be worth it in the long run. In reality, meeting CMMC compliance mandates is a great way to make sure your business is more secure, up to date, and has a firm foundation to build from.
For some, CMMC 2.0 is a mandate and a necessity. But even if that’s not the case, there are plenty of reasons and benefits in becoming CMMC compliant.
-
Enhance your overall security posture — Implementing security controls using CMMC 2.0 levels increases your overall security posture. It helps protect sensitive information within your organization and increases the security of your supply chain.
-
Tailor security specifically — Because CMMC offers different compliance levels, it’s an excellent framework to follow for differing requirements. Not every business faces the same level of threats or the same level of data sensitivity. With CMMC, you can establish cyber hygiene policies that address your organization’s particular needs.
-
Prepares you for other regulatory changes — Because of overlap between the CMMC security requirements and other compliance standards, like those developed by NIST, by reaching CMMC certification you’ll have a strong base to build from to address other standards — such as new guidelines in place for ISO 27001 or recent PCI updates.
-
External proof of commitment — CMMC certification proves how well your business meets security mandates and standards. This matters not only to your internal stakeholders, but potential new customers, partners, vendors, and suppliers.
-
Earn additional DiB/DoD contracts — CMMC certification will be mandatory in the near future to even bid on government contracts. Businesses that fail to reach the standard will risk losing contracts and relationships with key enterprises. Those that embrace the standard will act from a position of strength moving forward.
Security Compliance Simplified with Inversion6: Meet complex regulatory requirements and maintain a secure IT environment with guidance from our team of security experts.
Inversion6 Helps You Navigate CMMC Certification
Businesses need clarity when it comes to CMMC — what’s expected, what they need to do, and when it needs to be done. At Inversion6 we endeavor to eliminate reactiveness from cyber security by collaborating with you to discuss your options, outlining solutions, and putting your compliance efforts into sharp focus with our more than 30 years of experience.
From fractional CISOs to full-service MSSP, we partner with you to define every step of the CMMC certification process and deliver the tools needed to ensure your success at every step:
-
Conduct a gap assessment
-
Register you with the SPRS portal
-
Create your System Security Plan
-
Build a Plan of Action & Milestones
-
Form a remediation plan
-
Maintain compliance and reporting
-
Answer your questions throughout the process
The clock is ticking and the time to act is now. Inversion6 provides the experience and insight to plot out your course toward CMMC assessment and certification and helps you complete the process.
Connect with Inversion6 today to talk to one of our experts and discuss your CMMC gameplan.