Cybersecurity Maturity Model Certification (CMMC)
Prepare Your Business for CMMC with a Gap Assessment Today
The Cybersecurity Maturity Model Certification (CMMC) represents the latest government effort by the United States Department of Defense (DoD) to adequately secure government data. Government data being utilized and/or developed by vendors with contracts or subcontracts through the U.S. DoD requires some of the best cybersecurity available. This is why the CMMC will soon be required for businesses and manufacturers working with the U.S. DoD.
Several drafts of the CMMC were publically released and public comment was requested. The U.S. DoD took into account public feedback and issued CMMC v1.0 on Jan. 31, 2020. While DFARS 252.204-7012 and NIST SP 800-171 are government regulations that require certain cybersecurity efforts by vendors, the requirements of DFARS 7012 and NIST 800-171 could be completed following the award of a contract and utilize a self-assessment and attestation process. The new CMMC requires that certain cybersecurity policies, procedures, and controls be implemented prior to the award of a contract as certified by an accredited, independent third-party CMMC assessor.
CMMC Level Requirements will be Incorporated into DoD Requests for Information Starting June 2020.
CMMC Level Requirements will be Incorporated into Requests for Proposals Starting October 2020.
CMMC Affects Primary & Secondary Contractors
In addition to the requirements of the CMMC being fulfilled by the primary contractor, the Office of the Undersecretary of Defense (OUSD) also requires flow down of the requirements to all subcontractors regardless of their size or function for DoD contracts. There are five levels of certification for CMMC. The government will determine the appropriate level required for each contract they administer. The required CMMC level will be contained in sections L and M of the requests for proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts (see information on levels below). The higher the level of CMMC certification your business achieves, the more contracts it will be eligible to bid for.
Government contractors and subcontractors can expect to find CMMC implemented in DoD contracts by June 2020, according to the OUSD. Vendors will see cybersecurity requirements included as part of new requests for information (RFI). This is typically one of the first steps in awarding new defense contracts. Businesses working with DoD contracts will be required to be certified at the designated CMMC level or they will risk losing future contracts.
Read original article by the U.S. DoD News, “Cybersecurity Requirements Likely for Defense Contracts by June 2020”.
See the release of CMMC Model v1.0.
Request a Free Consultation
The CMMC Schedule
- January 31, 2020 - CMMC Version 1.0 Released
- January to March 2020 - Auditor Training and Certification Beginning
- June 2020 - CMMC Included in Request for Information (RFI)
- Fall 2020 - CMMC included in Sections L & M of Request for Proposals (RFPs)
CMMC Model Framework
The CMMC model categorizes cybersecurity best practices at the highest level by domains. There are 17 domains within the current CMMC model and each domain is segmented by a set of capabilities. Capabilities are achievements to ensure cybersecurity objectives are met within each domain. DoD vendors will be able to demonstrate compliance with the required capabilities by demonstrating adherence to practices and processes, which are mapped to five maturity levels.
The CMMC is comprised of five defined cybersecurity levels. Each level has a set of supporting practices and processes. Level one requires the most basic cyber hygiene while level two requires intermediate cyber hygiene. Level three requires compliance with more practices and processes to achieve good cyber hygiene while level four requires a higher, proactive approach to cybersecurity. Level five is the highest level of CMMC and requires the most advanced and progressive practices and processes. There are nine different practices and processes in place for each one of the 17 domains.
Practices are better known as controls. These practices are broken up by the different level and each level calls for a variety of practices that must be implemented. The levels are cumulative, meaning that a practice that is required at level one is also required at all higher levels.
- Level 1: 17 practices
- Level 2: 55 practices (plus L1 practices)
- Level 3: 58 practices (plus L1-L2 practices)
- Level 4: 26 practices (plus L1-L3 practices)
- Level 5: 15 practices (plus L1-L4 practices)
Levels 1-3 include a total of 130 practices that target the greatest and most active components of the United States Defense Industrial Base (DIB) government contracts. Levels 4 and 5 include a total of 41 practices that target small subsets of the DIB supporting critical programs. With a total of 171 practices, CMMC has a significantly higher number of controls than previous government regulations to ensure cybersecurity best practices.
Processes are also broken into five levels. These also represent maturity level capabilities per domain.
- Level 1: 0
- Level 2: 34 processes
- Level 3: 17 processes (plus L2 processes)
- Level 4: 17 processes (plus L2-L3 processes)
- Level 5: 17 processes (plus L2-L4 processes)
How Can Dox Help?
Dox, a certified Exostar partner, will be seeking accreditation as a third-party CMMC assessor as soon as the CMMC training and licensing process is developed by the CMMC Accreditation Body (CMMC-AB) and becomes available. This will allow Dox to offer our white-glove service to all businesses, regardless of their size, wishing to achieve Cybersecurity Maturity Model Certification. This will enable your organization to move ahead with the DoD bid process without barriers.
In the meantime, Dox continues to offer gap assessments for compliance with NIST SP 800-171 and DFARS, which include the requirements of most current DoD contracts. This type of assessment will also provide insight into your preparedness for CMMC as most of the practices required for CMMC at levels 1, 2, and 3 come from NIST SP 800-171. In fact, every one of the 110 requirements in NIST SP 800-171 appears as a practice within CMMC levels 1, 2, and 3. If you are already compliant with NIST SP 800-171, you have a solid start on achieving CMMC compliance up to level 3.
Assess and Comply with All Three Types of Security Requirements
Call Dox Today for Regulation Assistance
Ensure Your Business is Compliant
The experts at Dox Electronics are here to assist you with all of your government and Department of Defense (DoD) regulation compliance requirements. As a Microsoft Silver Partner, Dox is a certified Microsoft reseller for the Microsoft 365 U.S. Government Community Cloud (GCC) High environment. Dox now offers Microsoft 365 GCC High licensing for companies requiring fewer than 500 licenses to ensure your company meets the requirements of everything from NIST 800-171 to FedRAMP and ITAR.
Many business leaders are confused about which cloud is right for them. For those businesses with government contracts through the DoD or those that fall under DFARS or ITAR requirements, GCC High is a necessity for achieving compliance. DFARS requires the business cloud environment to be FedRAMP compliant as well. Microsoft cannot supply the reporting and compliance requirements of DFARS 7012 paragraphs (c) thru (g) under the regular public Office 365 offering. Microsoft only certifies DFARS compliance on the GCC High environment.
Don't worry about becoming regulation compliant. Ensure your business achieves compliance with help from Dox.
Call Dox now at (585) 473-7766 to schedule a free consultation
Non-Compliance Businesses are Losing Money. Don’t be One of Them.
Now is the time to begin the process of moving toward Cybersecurity Maturity Model Certification. According to the Office of the Under Secretary of Defense (OUSD), unless a higher level is specified, all contractors and sub-contractors must meet a minimum of CMMC level 1 requirements. In addition, the OUSD, said industry should begin to see the CMMC requirements as part of the Requests for Information (RFI) by June 2020. Manufacturers and vendors that are not certified will face losing future DoD contracts as a result. Uncertified businesses will likely see large financial losses as a direct result of failure to achieve certification.
Those businesses that fail to meet the CMMC requirements will experience:
- Loss of new DoD contracts
- Loss of business reputation
- Loss of revenue from DoD contracts
Don’t wait until the last minute to become prepared for CMMC. If you are slower to achieve certification than your competitors, that puts your business at a distinct disadvantage. With proper certification, you can outbid your competition.
Schedule your CMMC gap assessment meeting now by calling (585) 473-7766. You may also fill out the contact form on this page and we will reach out to you as soon as possible to schedule your free initial consultation.