With the phased rollout of the U.S. Department of Defense’s (DoD’s) new Cybersecurity Maturity Model Certification (CMMC) requirements, many defense contractors are scrambling. These companies are looking for quick and easy ways to meet DoD compliance standards so they can keep bidding on government contracts.
However, as with any new government regulation, there seems to be some confusion about CMMC, who needs to adhere to it, and the best way to go about complying with the cybersecurity rule. In fact, some CMMC myths have already started to crop up that may cause defense contractors to waste valuable time and money if they fall for them.
What are some common myths about CMMC? More importantly, how can you prepare your business for CMMC compliance?
5 Common Myths about CMMC
Some of the most prevalent myths about CMMC include:
1. We Don’t Need CMMC if We Have NIST Compliance
One of the biggest misconceptions about CMMC is that it’s the same as NIST 800-171. So, many companies may assume that if they are NIST compliant, then they’re already CMMC compliant.
This may be because a significant portion of the controls used in CMMC are based on NIST 800-171. However, while many of the controls required are the same or similar, CMMC builds on NIST 800-171 and adds more controls and nuance.
Additionally, certification for CMMC is conducted by a certified third-party assessment organization (C3PAO) in accordance with the CMMC accreditation body (CMMC-AB). So, there is a separate certification for CMMC that is distinct from NIST 800-171.
While meeting CMMC standards will require many of the same controls as NIST, they aren’t the same thing. A separate certification will be required for DoD contracts that specify CMMC.
2. CMMC Certification Won’t Affect My Business
Some organizations might assume that, because they aren’t specifically defense contractors working directly with the DoD, CMMC won’t affect their business. This isn’t necessarily true.
Even for companies that don’t work directly with the government, they may act as subcontractors for companies that do. When these companies apply for CMMC certification, part of their assessment will involve if their vendors are meeting the right cybersecurity standards.
In this case, even a business that doesn’t work directly with the government may lose customers. After all, defense contractors need to meet CMMC and other cybersecurity requirements themselves—and cutting off vendors who hold them back from being able to take government contracts only makes good business sense.
On the other hand, a CMMC-compliant company may be able to attract new business from defense industry contractors who need partners to outsource specialized projects to.
3. I Have to Have a Level 5 Certification
One of the things that everyone needs to know about CMMC is that the certification comes in five levels:
- Level 1: Very basic, often informal cybersecurity performed. The company meets 17 security practices.
- Level 2: Documented cybersecurity processes that improve consistency. The company meets 72 security practices.
- Level 3: Managed cybersecurity processes that progress towards protecting controlled unclassified information (CUI). The company meets 130 security practices.
- Level 4: Reviewed processes that measure and evolve the organization’s security controls. The company meets 156 security practices.
- Level 5: Optimized processes that leverage deep and sophisticated security. The company meets 171 security practices.
To oversimplify things a bit, higher levels of certification indicate that the company’s cybersecurity is better optimized and documented compared to lower levels.
One thing that many organizations might assume is that, if they want to win government contracts, they will need to have the highest possible certification. However, this isn’t necessarily true. In fact, for many DoD contractors, pursuing the highest levels of CMMC certification may actually be wasteful of both time and resources.
The DoD isn’t going to require level 5 certification for every request for proposal (RFP) they make. In fact, the majority of defense contractors will only need to meet level 3 of CMMC (or less). Level 4 and 5 certifications will only be required for the most sensitive of defense contracts.
4. I Can Bill the Government for My CMMC Compliance Costs
Some contractors may be slightly confused about a statement from Katie Arrington the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD in 2019.
In the statement reported on Federal News Network, it was intimated that “the government, in some cases, will pay for cybersecurity.” This may have led some contractors to believe that the government will cover the costs of their CMMC readiness efforts. However, this is not the case.
Here’s a clarification from the pages of Small Business Today Magazine (SBT): the “official audit costs – and not any readiness assessment costs or remediation – will be reimbursed when a company is awarded a contract that requires a CMMC Maturity Level.”
In other words, the government is only going to cut a check for the audit itself—and that’s only if you win the contract requiring CMMC certification. Your costs for getting CMMC ready, such as adding new security, going through additional training, and running other assessments will not be reimbursed.
5. We Can Just Show Our Compliance to the DoD
So, what if your security measures already meet DoD compliance standards for the level of security a government contract requires? Does that mean that you can just show the DoD your compliant security processes and tools and skip getting certified by a C3PAO?
Even if you’re actually compliant already with CMMC, you still need to undergo the assessment and certification process to be able to take on a contract from the DoD. As noted in the SBT article cited above, when a contractor is awarded a contract, “the awardee will need to present their CMMC Maturity Level Certification required by the proposal” at that time.
So, while you might not need a certification to bid on a contract, you will need to provide your certification documents to the DoD once you’re awarded the contract.
How to Prepare for Cybersecurity Maturity Model Certification
With the phased rollout of CMMC underway, how can your company prepare for certification so that it can start taking contracts that require certification ASAP?
Some basic preparation tips include:
- Documenting All Your Processes and Tools. Documentation is a key requirement for level 2 and higher cybersecurity maturity. It’s also useful when being assessed by C3PAOs so they can easily and accurately assess your cybersecurity.
- Choosing a Desired Cybersecurity Maturity Level. What level of CMMC does your company need to satisfy to take on the government-related contracts it typically pursues? If you tend to work on more classified projects, then a higher level of maturity will be needed. If not, then a lower level may suffice. In most cases, level 3 maturity is all you need. It can help to discuss with a DoD representative to nail down the level your most commonly-bid-on contracts will need.
- Run a Gap Analysis and Make the Necessary Changes. Compare the security controls your chosen maturity level requires and compare them to your existing controls. This gap analysis can help you focus on the most important things you need to meet DoD compliance requirements. Then, make the changes needed to close those gaps.
- Schedule an Assessment. Contact the CMMC-AB to schedule an assessment with a C3PAO. After the assessment is concluded, be sure to create a plan of action and milestones (POA&M) to address any issues the assessor identified so they can be fixed before the assessment is finalized—which usually takes place within 90 days.
In addition to these preparatory measures, you can also work alongside an experienced managed security service provider (MSSP). MSSPs can help you identify the best tools and resources to efficiently increase your cybersecurity and bring it into compliance with your desired CMMC maturity level.
This, in turn, can help relieve some of the stress and difficulty of adjusting to a new cybersecurity regulation—freeing up your time and resources so you can focus more on winning bids rather than worrying about if your two-factor authentication and incident response plan are up to snuff!
Need help meeting CMMC requirements while avoiding falling for CMMC myths? Reach out to the Systems X team today to get started!