The Cybersecurity Maturity Model Certification (CMMC) is an accreditation process developed by the Department of Defense (DoD) that measures the cybersecurity maturity of government contractors. Once implemented, all organizations that do business with the DoD will need to meet CMMC requirements to be awarded a DoD contract. There are five levels of certification based on the types and sensitivities of the data and information that contractors need to access, store and protect. CMMC organizes business processes, practices and capabilities into 18 domains, which in turn contain numerous specific security requirements. Click below for more detailed information on CMMC and how it will affect organization when doing business with the DoD.
CMMC is intended to ensure organizations are using appropriate levels of cybersecurity practices and processes to protect controlled unclassified information (CUI) on the DoD’s industry partner networks. The DOD is planning to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB), an ecosystem of approximately 300,000 companies of all sizes across multiple industries that sell products and services to the DoD.
Although it has not been implemented yet, CMMC will require technology vendors, channel partners and systems integrators selling to the DoD to make investments in their cybersecurity capabilities if they want to obtain certification. What should you expect?
According to the Office of the Under Secretary of Defense for Acquisition and Sustainment, CMMC assessment costs will depend upon several factors including the CMMC level, the complexity of the DIB company’s network and other market forces. The goal is for CMMC to be cost-effective and affordable for all companies.
Still, technology vendors, channel partners and systems integrators needing CMMC accreditation will have to plan for expenses: assessment costs, remediation costs and changes to business processes. Remediation costs will depend on the current strength of a company’s security posture. Organizations with strong security will have fewer issues to mitigate and lower mitigation costs. The size and complexity of the company is also a factor. An organization of 300 people faces a less expensive task than a company of 15,000. The sensitivity of the data under the company’s control is another key determinant: if a company handles classified data, they will need a higher level certification and can expect to spend more than an organization processing information at a lower sensitivity level.
As of September 8, 2020, the DoD has not set an exact date on when certifications will be required. However, it is likely that early-to-mid 2021 is a reasonable target date. Once this occurs, companies will be allowed to bid on an request for proposal (RFP) even if they have not been certified, but if the RFP includes a CMMC requirement, a company will not be awarded a contract until they are certified.
Third-party organizations, or CMMC Third-party Assessment Organizations (C3PAOs), will measure a company’s security posture against these domains and provide a certification at one of the five levels. There are currently no C3PAOs authorized to provide CMMC accreditation. However, there has been a down-select to about 70 potential companies.