Why You Need a CMMC Registered Practitioner

Cybersecurity Maturity Model Certification (CMMC) is a unified standard designed to implement and improve cybersecurity across the entire Defense Industrial Base (DIB) sector and the entire supply chain of the U.S. Department of Defense (DoD). CMMC Registered Practitioners will help prime and subcontractors meet the new standards and prepare prospective companies for audits, which will verify that DoD contractors meet or exceed the certification levels needed to fulfill government-issued contracts.

CMMC is in response to continued attacks at both the DIB and the DoD supply chain from malicious actors who have successfully compromised contractor’s information systems for sensitive defense data. The Center for Strategic and International Studies estimated the total global cost of cybercrime was as high as $600 billion in 2017. Last December, parts of the Defense Department itself were exposed in a widespread hack across many sectors of the federal government. The losses of intellectual property and certain unclassified information from the DoD supply chain can undermine U.S. innovation and tech advantages and significantly increases national security risk.

CMMC will verify that DoD contractors have sufficient controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). And the new controls are already impacting how organizations bid on new contracts.

With the onset of January 2021, any organization bidding on a new DIB contract is required to be compliant with the current CMMC model by the time the work begins or the bid is awarded. Currently, there is a timetable in place for contractors to need certification before bidding, starting with the highest-clearance companies in the DIB later this year and scaling from there. But, by 2026, all DIB contractors will be required to be CMMC certified by a Certified Third-Party Assessment Organization (C3PAO) before being allowed to bid on government contracts.

It’s essential to understand that any business that bids on a government contract will need to acquire at least base Level 1 certification. It doesn’t matter in what capacity you work with a government agency — be it selling chipsets, renting heavy equipment, or providing catered meals — if you have access to FCI, you’ll need at least the base level certification.

The certification process takes time — months, not weeks — and there will be tangible benefits for starting the process sooner rather than later. More than two-thirds of contractors surveyed recently believed moving quickly to demonstrate compliance would create a competitive advantage. With typical DoD contracts running five years, and with the DoD issuing nearly $360 billion in contracts in 2018 alone, being compliant with the aid of a CMMC Registered Practitioner could open your company to landing valuable recurring contracts while your competitors try to catch up.

Future Requests for Proposals (RFPs) will declare what CMMC level the contract requires, and once issued, CMMC certifications will be valid for three years for the lowest three levels of compliance. With earlier certification at Level 1, you’ll be in position to potentially expand your cybersecurity controls and have easier reaches to Level 2 or 3 certification and the additional opportunities those levels entail.

What a CMMC Registered Practitioner Does For You

The CMMC model has yet to be fully implemented and codified, and as such is still marked by shifting goals and metrics. The first full audits aren’t expected to be completed until the summer of 2021. By working with a CMMC Registered Practitioner, such as Inversion6 Technologies, you’ll be kept up to speed on any new developments in the process.

As sanctioned by the CMMC Accreditation Body (CMMC AB), a CMMC Registered Practitioner will help organizations in many ways in their search for certification. But here are three of the most important things a registered practitioner can deliver for organizations seeking their assistance for CMMC compliance.

Identifying Your Information and Level Needs

CMMC is divided into five distinct levels for certification. If you’re selling sandwiches to a local military facility, you might need only Level 1 certification. But, if you’re delivering new tech for a stealth bomber prototype, you’re looking at Level 5 certification. While it’s expected more than half of all contractors will only need Level 1 certification, your CMMC Registered Practitioner should be able to identify the type of information you’re dealing with — Public, FCI, or CUI — and then the level you need to try to qualify for. The five current levels of CMMC are as follows:

Level 1 — This level focuses on protecting FCI and “basic cyber hygiene” practices, such as using antivirus software or making sure employees change passwords regularly.

Level 2 — Organizations must establish and document practices to an “intermediate cyber hygiene” extent at this level. A subset of level 2 practices deal with the protection of CUI.

Level 3 — A company will have to show an institutionalized management plan to implement “good” cyber practices to safeguard CUI, including all security requirements listed in NIST SP 800-171 rev. 2 and 20 new mitigating techniques.

Level 4 — Organizations at this level will need to implement processes for reviewing and measuring the effectiveness of practices in addition to proactive and corrective measures to respond to Advanced Persistent Threats (APTs).

Level 5 — A company must have standardized and optimized processes in place across the entire organization and increased depth and sophistication in its capabilities to detect and respond to APTs.

Perform Self-Assessment and Upload Results

Since 2018, the DoD has expected contractors and subcontractors to comply with NIST 800-171 compliance standards. However, effective on Dec. 1, 2020, all contractors are subject to new clauses in the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7019, 7020 and 7021). This means, starting immediately, that any suppliers and DIB members that are looking to earn new business or are up for renewal will need to complete a new NIST 800-171 Self-Assessment and upload the results to the Supplier Performance Risk System (SPRS) before a contract is awarded to them.

A CMMC Registered Practitioner should not only identify gaps in your System Security Plan (SSP) and come up with solutions to address those gaps and validate the results, but will also help conduct your basic assessments against NIST 800-171, prepare a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment, and advise you on loading your assessment scores into SPRS. The Self-Assessment must also include the completion of an SSP with a Plan of Action and Milestones (POAM) describing the current state of their network.

These are essential steps because until CMMC certification is the standard for all supply chain contracts — full implementation is expected by 2026 — these measures will exhibit your organization’s commitment to the new cybersecurity measures.

Find an Accessor to Guide You Through Your Audit

One of the biggest changes with CMMC is that companies will no longer be able to self-verify their compliance. Instead, the CMMC AB has designated CMMC Certified Assessors — those C3POAs mentioned earlier — to conduct pass-or-fail evaluations (or audits) when organizations seek their official certification. Registered Practitioners cannot conduct audits, and vice versa as Certified Assessors cannot advise on how to pass them.

This process was instituted to combat conflicts of interest. But, as a Registered Practitioner, Inversion6 Technologies can prepare you for what you need to know before your audit, find and engage a 3PCAO to execute the audit, and then accompany your team through the audit as you prove your qualifications for the new CMMC standards.

Once complete, you’ll still have need of a CMMC Registered Practitioner to either continue to help you display your compliance with CMMC through your organization’s ability to meet practices that center on perimeter and boundary defense, or controlling, monitoring, and protecting cyber boundaries. It is through this continued compliance where Inversion6 Technologies can deliver added benefits.

Inversion6 Technologies will help you reach your desired level of certification, then be there to help you maintain, or perhaps grow, your capabilities within the CMMC program.

Besides winning and maintaining more DoD contracts, CMMC-compliant companies will also be positioned to:

• Reduce the risk of data breaches and overcome/prevent threats of nation-state actors
• Lower the risk from insider threats
• Gain compliance with other regulations, such as those prevalent with NIST, HIPAA, ISO, FISMA, and SOX

Inversion6 Can Help You Solve the CMMC Dilemma

The constantly evolving scope and details of CMMC can be intimidating for smaller businesses trying to figure out how they can meet the new clearances governing DoD contractors. We’ve worked for decades to make companies more secure, and enable their security systems to reach many industry regulatory and compliance requirements. In the process, Inversion6 Technologies has learned the skills and techniques needed to help you quickly adjust to, and meet, the newly instituted CMMC certification guidelines.

As an extension of your team, Inversion6 Technologies provides customized security solutions to support your internal security efforts. Whether you’re looking for CISO, MSSP, or security software guidance, Inversion6 Technologies partners with you to keep your company safe. Dedicated to long-term service, Inversion6 Technologies will work to protect your organization relentlessly — every hour of every day — by investigating and detecting potential threats, communicating those concerns, and finally eliminating security issues.

Contact Inversion6 to learn more about how our CMMC services can alleviate some of the pressures your business faces as it prepares for the new DoD cybersecurity model.