Government contractors working with the DoD are facing new regulations, i.e., new levels of compliance. With the release of the Cybersecurity Maturity Model Certification (CMMC), contractors now find themselves needing to review, and in some cases, completely overhaul their current cybersecurity systems.
HRCT, an IT company in Norfolk, VA focused on providing technology solutions for organizations throughout the Norfolk region offers this advice.
The need for new standards was overdue. For years, the DoD has struggled to ensure all of its contractors were able to keep a tight lid on controlled information. But even after introducing NIST 800-171 and DFARS 252-204-7012 guidelines, security measures were not always as secure as contractors claimed. This situation was due in part to the self-attestation mechanism currently in place, and the lack of an established third-party certification process. Many contractors, and especially subcontractors, did not have a clear understanding of the steps they needed to take to stay compliant.
The goal of the introduction of the CMMC is not only to create a process for contractors to become certified through an outside audit but also to streamline requirements into one inclusive framework.
What Does the Cybersecurity Maturity Model Certification Mean?
The CMMC combines several existing cybersecurity standards into a single standard. This single framework will make it much easier for companies to know what they need to do to comply with the latest regulations.
The Pathway to CMMC for Your Business
The new CMMC will break down cybersecurity into five levels of cybersecurity, from Basic Cyber Hygiene to Advanced/Progressive ratings.
The good news is that the DoD does not expect CMMC requirements to appear as part of RFIs until June of next year. That gives businesses a small window of time to upgrade their current practices and to get certified. But you can’t wait much longer to start moving your company towards certification. Once CMMC levels take effect, contractors without a CMMC level will be unable to bid on projects.
Steps leading to CMMC rating:
- Determine whether your company currently meets any existing CMMC levels. The DoD plans on releasing final CMMC requirements in January, but there is a draft version currently available to give you a good idea of what to expect.
- Remedy any deficiencies which are preventing you from meeting the requirements for the CMMC level you want to reach. You may want to bring in outside experts to ensure you meet all the requirements for your target level.
- Create a self-assessment of your cybersecurity policies in place and submit your application for an audit through one of the approved third-party CMMC auditors.
- The auditor will review your application and attempt to verify the information you included. The auditor will then submit the findings to the government for review.
- Once approved, your company will receive a CMMC rating, and then you will be able to bid on DoD projects.
To find more answers to common questions about CMMC, visit the departments’ website, or contact directly.
Video – What is Cyber Security
Cyber Security (or cybersecurity) includes anything done to protect sensitive data, computers, networks, and computer systems. The word cyber, which is either an adjective or prefix, refers to anything to do with computers, information technology, and virtual reality.