CMMC is Coming...
Are you Ready?
The Cybersecurity Maturity Model Certification (CMMC) represents a fundamental shift in addressing cybersecurity in the defense industrial base (DIB) and managing cyber risk in the industrial supply chain.
Starting in 2020, defense contractors (and contractors for other agencies) will require 5 levels of certification to manage Controlled Unclassified Information (CUI)/Controlled Defense Information (CDI) as part of their contract services.
So, what is CMMC
CMMC represents a “sliding scale” of information security program levels starting with level 1, or basic security program, through levels 4 and 5, which represent the highest levels of protection for our nation’s most sensitive information. The first M, “Maturity,” represents how integrated your security program may be with your day-to-day business activities. The second M, “Model,” is based on a collection of international standards and best practices for security IT and information processing.
Are small contractors exempt?
NO. The specific requirements around CUI/CDI and certification levels are still being finalized, however common contract activities that involve CUI/CDI – and may impact your level of certification – include:
IT Operations and IT Services
Program Information
(Program schedules, budget items, diagrams, specifications, drawings, etc.)
Human Resources
(Personal identifiable information (PII), healthcare information, movement of military members, troop levels, etc.)
Base Operations and Services
Suppliers and Logistics
Do we know
what level is required?
DOD aims for the majority of DIB companies to only have to meet minimum requirements, however, that still means at least level 1 and level 2 requirements for many companies supporting contracts. The more secure levels of protection (levels 4 and 5) are still under development for early next year.
So what can I do?
Where can I start?
While these new requirements can be daunting, they can be manageable. While final certification is still pending, here’s an easy checklist to orient yourself and the company to prepare.
I’d really like some technical assistance
The Dinocrates Group not only provides security consulting and assessment services to numerous public and private organizations, but as member of the DIB as well, we must also prepare and comply with the standards. We consider ourselves uniquely positioned as a small business in the world of compliance that assist you in your CMMC compliance effort. We offer the following to help you prepare:
- Gap Assessment and Compliance Journey
- Technical and Vulnerability Assessment
- Program and Policy Development
- Compliance Management Platform