What is CMMC & NIST Compliance?

There isn’t a more convenient place to store sensitive, important information than on your technological devices. However, the networks and systems that we trust to keep this information safe are increasingly vulnerable to cyberattacks. These cyberattacks can take many forms, but they are most commonly used to access and/or modify sensitive data, interrupt business processes or extort money from users and consumers.

Needless to say, staying safe from these attacks and protecting vulnerable data is a top priority for many organizations.

What is cybersecurity?

Cybersecurity is the practice of protecting data, networks and systems from digital attacks and/or unauthorized access. Implementing effective cybersecurity practices is not only helpful, but perhaps necessary, as we have adapted to rely on technology for more and more parts of our daily lives and working practices.

Because cybersecurity is so important — and because every business or organization might choose to handle things differently — the United States Department of Defense (DoD) has begun to implement the Cybersecurity Maturity Model Certification (CMMC).

What is a Maturity Model?

A maturity model is a framework for measuring and assessing a person or group’s capabilities in a given subject area. They are structured in such a way that each level outlines the exact skills or steps that need to be taken to move upwards into the next level. By providing a categorized standard of assessment, a maturity model provides individuals and organizations with a precise guide for upward mobility.

What is the Cybersecurity Maturity Model Certification (CMMC)?

The U.S Department of Defense created the CMMC in order to both standardize and measure the abilities of their defense contractors’ in their approach to cybersecurity. The primary goal of the CMMC is to provide contractors in the defense industrial base (DIB) with a concrete framework through which they can assess the success of their cybersecurity efforts, as well as how they can continue to move forward.

By using a combination of multiple processes and existing cybersecurity standards like FAR, NIST, and DFARS, the CMMC encompasses the wide range of skills and knowledge necessary to keep important information safe.

Who does the Cybersecurity Maturity Model Certification (CMMC) apply to?

The CMMC is meant to protect information being used by the contractors and subcontractors that work with the Department of Defense.

The DoD typically works directly with contractors for a variety of business functions. Given the highly sensitive nature of their work, it is no surprise that the DoD would be highly selective over who is given access to what kind of information. Typically, the information falls into two categories:

Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
Federal Contract Information (FCI): Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public.

When does the Cybersecurity Maturity Model Certification (CMMC) take effect?

The DoD announced the CMMC program on January 31, 2020. Although they have begun to request that specific contractors adhere to CMMC guidelines as soon as September of 2020, the CMMC will begin to be required for all new DoD contractors and subcontractors beginning in 2026.

Why You Should Care About CMMC

Cybersecurity is one of the most persistent — and expensive — crimes that the government deals with on a daily basis. International spying costs the US billions every year, but more importantly it weakens national security. A common example of how important seemingly mundane data can be is a military base’s monthly order of chicken being larger than normal could signal to another country about upcoming troop movements. DoD contractors are entrusted with all sorts of mundane data like this and it’s a matter of national security to protect it.

The reliance of the government and the working world on technology cannot be overstated; it is imperative that all individuals and organizations working alongside the Department of Defense take the time and care to protect the information that they come into contact with.

What are the 5 Levels of the CMMC Framework?

The five levels of the CMMC framework provide actionable information so that all contractors and involved parties can see exactly where they stand. The five levels are:
Level 1: Performed, Basic Cyber Hygiene
Level 2: Documented, Intermediate Cyber Hygiene
Level 3: Managed, Good Cyber Hygiene
Level 4: Reviewed, Proactive
Level 5: Optimizing, Advanced/Proactive

Each level is used to denote the specific processes that the company or organization must have set in place and helps delineate what needs to be done to reach the next level.
How much does CMMC certification cost?

As they say “your mileage may vary”, but the DoD has released some estimated costs as a rough, preliminary guideline. The cost of getting CMMC certified includes 3 things:
The cost of the assessment
The 1st year, non-recurring engineering costs, and
The recurring engineering costs spread over five years.
For a detailed calculation, click on this link from the DFARS Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041):

Is your organization CMMC certified? Take our CMMC Readiness Self-Assessment to find out where you stand — and how you can move up to the next level — today!