What is the Cybersecurity Maturity Model Certification
The CMMC, is an upcoming requirement for all DoD prime and sub-contractors
- A new requirement for existing DoD contractors, replacing the self-attestation model (DFAR) and moving towards third-party certification.
- The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-171B, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, private sector contributions, and input from academia.
- This new certification will assure any existing problems within the Defense Industrial Base (DIB) will be covered and secure.
- It will consist of 5 levels to measure the cybersecurity practices of contractors. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”
- DoD RFPs will have requirements in sections L & M dictating the CMMC level that a contractor needs in order to bid. Your company as a potential DoD prime or subcontractor will need to have been certified at the appropriate CMMC level.
Defense Industrial Base, Cybersecurity Maturity Model Certification, CMMC
Why Is The CMMC Being Created?
Attacks Keep Happening
Attacks keep happening against DIB partners and hacker attention has turned to the smaller contractors for access to the Prime contractors
Assess and Enhance
The DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
Verify Cyber Resiliency of the DoD Contractors
Serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
What We Know So Far
If your company conducts business with the DoD then you must be certified.
The level of certification required depends upon the Controlled Unclassified Information (CUI) that your company handles or processes. Unlike past certifications, self certifications are being eliminated. All audits must be done by a 3rd party Certified CMMC Auditor
Important Dates
- Available nowVersion 0.7 Draft of the CMMC framework is available now.
- Late January 2020: Version 1.0 of the CMMC framework will be available.
- June 2020: Auditors will be trained and ready to certify; Industry should begin to see the CMMC requirement as part of request for information
- Delayed Until June 2020: CMMC Mandate for DoD RFIs March / April 2020
- Sept. 2020: CMMC Mandate for DoD RFPs September 2020 (Will probably be delayed)
Cost Of Non-Compliance
Contract Termination
It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
Criminal Fraud
If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
Breach of Contract Lawsuit
Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).
What You Need to Do
If your company conducts business with the DoD then you must be certified.
CMMC is still in Draft and less than 12 months away, so it is important to start implementing the NIST 800-171 & Draft-CMMC 0.7 security requirements now. Implementing the NIST 800-171 requirements includes:
- Develop a System Security Plan (SSP) with 110 security requirements
- Document Plans of Action & Milestones (POA&Ms)
- Implement security requirements and controls, like Multi-Factor Authentication and Incident Response
Inceptus Can Help Your Become CMMC Ready
Perform Detailed Assessment
Perform a detailed assessment to determine your compliance level with detailed remediation actions to comply with DFARS/CMMC requirements
Develop Plans to Address Gaps
We develop the required Systems Security Plan (SSP) and Plan of Action & Milestones (POA&M), so you can provide documented evidence to the DoD or your Prime that you’re on your way towards compliance
Develop Customized Threat Detection and Protection Plans
Inceptus Protection Plans are designed to fill the gaps exposed in your assessment. We bring the fundamentals back to cyber and blend them with bleeding edge processes and technologies to detect, deter, defend, respond and recover from threats anywhere in your business ecosystem
Implement Security Framework
Successfully implement the security controls and requirements in NIST SP 800-171, NIST 800-171b and CMMC 0.7 and provide evidence for a successful audit