CMMC Compliance 101
Confident and timely CMMC compliance comes down to whether or not you have an informed strategy. Do you know the basics of CMMC compliance and what it means for you?
In October 2020, the DoD released their Interim Final Rule, which set a deadline for NIST compliance and a timeline for CMMC compliance. These new compliance standards not only put DoD contractors on the clock, but also presented them with far more rigorous expectations than they’ve been subject to before.
Who Needs A CMMC Certification?
If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).
What Does CMMC Mean?
CMMC stands for Cybersecurity Maturity Model Certification. It is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and CUI shared within the supply chain.
What Is CMMC Compliance?
CMMC builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit CUI. These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.
As a U.S. DOD contractor who collects, stores, or transmits Covered Defense Information (CDI) or CUI you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance.
If you don’t, you can’t bid on DOD contracts, and you may lose the ones you have. CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.
There are five key steps in attaining your CMMC certification:
- Self-Assessment: You need to know where you stand. Have you evaluated how well you’re protecting FCI and CUI, in line with CMMC’s requirements?
- Pre-Audit Support: This is where an expert third party like Orion Networks comes in. We can assess your current processes and determine where you may be vulnerable. We’ll provide you with a detailed assessment that pinpoints areas of concern that you’ll need to address prior to your audit.
- Remediation: Using the information gathered in our assessment, we’ll address any potential vulnerabilities and transition your organization to a fully CMMC compliant state.
- Audit: The next step is to hire a Certified Third-Party Audit Organization (C3PAO), providing them with the results of your self-assessment and the changes made with assistance from our team.
- Certification: Congratulations — you now meet CMMC compliance standards.
What Happens If You’re Not Compliant?
The penalty for CMMC compliance is simple — if you’re not compliant, you can’t be awarded defense contracts. There are no fines or conventional penalties. You’re just unable to operate in the DoD contracting space any longer.
While complying with these new requirements will undoubtedly require a further investment of time and money beyond your standard compliance efforts, it’s important to note the silver lining — compliance will likely reduce your competition.
As it becomes more difficult to operate in the defense sector, smaller competitors will likely drop out. Becoming compliant with CMMC will require more resources, and not all current contractors will see the benefit of investing further, especially if they don’t have the capital to do so.
That makes the market less competitive for contractors that do make the effort to become compliant. And that’s not the only benefit — these new requirements aren’t arbitrary. Implementing them will have additional benefits as well, making your company more secure and of greater value to your clients.
How Much Does CMMC Certification Cost?
It’s difficult to narrow down an exact cost for CMMC compliance, as it will largely depend on your current state of compliance, and what you will have to do to remedy it. The larger the gap between your current state and a compliant state, the more it will cost.
That’s why you need to develop a budget for your CMMC compliance processes. Your CMMC budget needs to consider the following factors:
Plan Your Resources
To start, take stock of the state of your systems and how they may need updating. Additionally, you’ll want to consider how your systems may or may not be compliant — particularly if you’re in the cloud.
Answer the following questions:
- Will your IT systems need updating within the next year?
- Are your systems on-premise or cloud-based?
- If on-premise, will you be planning on a cloud migration in the coming year?
- If cloud-based, are you using the provider’s compliant cloud solution?
With these points in mind, you can better understand how much you’ll need to budget for major projects in the coming year. Whether that means a full cloud migration, or switching to a compliant cloud solution, it’s better to know now instead of later.
Developing Compliant Policies
A core component of Level 3 compliance with CMMC is to both possess and demonstrate documented policies.
Take stock of your current policies and associated practices by answering the following questions:
- Do you have documented policies?
- Has your team been trained to follow them, and are they tested on their knowledge?
- Have your policies been reviewed by a third party?
- Do you have a process for updating policies?
Regardless of whether you hire outside support for your policy development or handle it entirely in-house, you’ll need to budget for that time and expense.
Need Expert Assistance Implementing CMMC?
Organizations may struggle to know which assets are in scope. This is where visibility and control of your IT environment are essential — you can’t manage what you don’t measure.
The process of assessing and maintaining compliance to any standard is the same, regardless of industry:
- Start with a complete understanding of all the rules that you are expected to follow.
- Establish internal policies and procedures to ensure your organization follows the rules.
- Regularly check and assess whether or not your organization is following the rules.
- Address issues whenever you discover the rules are not being followed.
- Document everything.
NCI's offering is a purpose-built, role-based Compliance Process Automation platform. It combines a wizard-driven workflow engine, automated network and computer data discovery, a web-based management portal, and built-in compliance document generation and archiving.
Who is NCI and how we can help!
If you are looking for a proven IT service provider, Network Connections has all the solutions you're looking for. We offer your business managed IT services, mobile or remote workplace, Microsoft cloud services, managed cybersecurity, and hosted VoIP solutions.
Contact us today, and find out how we can help your business.