You’ve likely heard your colleagues ask; what is cmmc compliance Perhaps you’ve even asked posed this question yourself. Considering the pace and frequency that the guidance has changed, it is reasonable to be a bit confused. Still, developing an understanding of what CMMC is and what it will mean for your business is absolutely critical going forward. Your adherence to CMMC will be an essential part of your ability to compete and fulfil the Department of Defense contracts.
You don’t need to be an expert in Information Technology to get a general grasp of CMMC and its implications. The DoD CMMC framework can be primarily be understood as a means to classify contractors based on the information they handle and to verify the integrity of their cybersecurity networks.
CMMC: What and Why?
CMMC stands for Cybersecurity Maturity Model Certification. It emerged as an added layer of protection for cybersecurity measures across the Defense Industrial Base. In its initial form, it mandated the creation of an Accreditation Body with the responsibility of auditing the integrity of contractors’ cybersecurity systems. CMMC originally emerged to ensure that there was a uniform standard being applied to cybersecurity measures across the defence sector.
The first inception of CMMC was met with resistance. Many contractors believed that the expectations were too stringent for firms that did not handle certain forms of information. In response to this feedback, the DoD developed CMMC 2.0. CMMC 2.0 develops a 3 tier system based on a firm’s exposure to High-Value Assets and Controlled Unclassified Information. The sensitivity of the information that your firm handles will determine how you prove that your cybersecurity network is compliant.
So, what is cmmc compliance? The first stage is ensuring that you are adhering to the cybersecurity principles outlined in NIST 800-171. The second part is verifying your compliance with the DoD. Your verification method will correlate with your firm’s exposure to sensitive information.
If your firm handles neither High-Value Assets nor Controlled Unclassified Information you are simply required to perform a yearly self-assessment of your systems. If your firm handles CUI but not HVA, then you will generally be allowed to self-certify. The exception here is for firms that handle CUI that is related to national security interests. If this applies to you, you will need to be audited by a third-party accreditation service. Finally, firms that handled High-Value Assets are expected to be audited directly by the DoD.
CMMC is expected to be active sometime in the next 18 months. While the information is likely to evolve in that time, there are a few things you can do to prepare. Make sure you understand how the information and materials you handle are classified. This is the most important factor for CMMC 2.0. Additionally, it’s a good idea to consult with a compliance management service to assess your compliance with NIST 800-171. NIST 800-171 is the manual for accepted cybersecurity practices in the DIB. Being compliant will ensure that you are prepared for any means of verification.