CMMC, What it Is, How it Works, Why it Matters
There are over 220,000 individual contractors and subcontractors that conduct business with the Department of Defense (DoD). For all of these contractors and for the thousands of private businesses that are looking to land a lucrative DoD contract, the rules of the game are about to change forever. At the end of 2020, the DoD began changing its requirements for government contracts with respect to cyber security. This means that over the next five years, contractors without the proper certifications will not be eligible to compete for DoD contracts without upgrading their technology and cyber security procedures.
These new regulations aren’t a spur of the moment decision either. The CMMC requirements were carefully created after years of development and discussion. These requirements begin with the National Institute of Standards and Technology (NIST) 800-171 requirements. Many contractors are confused about how to get certified and address compliance with their internal resources. This guide will take a look at the important steps contractors need to make in their efforts to achieve compliance.
Phase One: Readiness Assessment
Many cyber security strategies of private businesses are totally unscripted, and contractors have had to develop responses to new internet threats. While this reactive way of handling cyber security may meet the bare minimum of requirements for private businesses, it is completely inadequate when working with government contracts. Adapting to CMMC requirements starts with planning and assessment. This assessment seeks to answer very general questions:
- What contracts are on the horizon?
- Are the right IT policies and tools in place to meet requirements?
- What parts of the business are affected by these new cyber security requirements?
- Is there enough internal personnel to handle certification or will it need outside support?
- How much more budget is needed to expand cyber security abilities?
- What data is considered sensitive?
- Are all cyber security procedures documented?
- How large is the gap between current cyber security levels and the targeted CMMC framework?
The CMMC model requires contractors to review, assess, and make changes to their cyber security controls. An honest and thorough readiness assessment is the important first step.
Phase Two: Prepare For Gaps
Perhaps the most important determination that needs to be made during the readiness assessment is what level of CMMC requirements need to be met. The CMMC consists of different levels of security, starting at level one, which focuses on basic cyber security covering 17 controls, all the way to level five, which covers 171 controls and are reserved for DoD contractors that are focused on highly-sensitive projects.
This gap analysis is critical because if initial compliance efforts result in a failed audit, the necessary steps to remediate the gap will extend the process further and delay a contract award. During this step, the System Security Plan with Plans of Action and Milestones will be completed or updated. Gap analysis sets a goal, and after this step, it should be absolutely clear what needs to be done to reach the desired level and the timeline required to achieve it.
Phase Three: Strategically Complete Improvements
Once the gaps are understood, contractors can plan and execute server and workstation upgrades, hardware and software installations, and documented training for end-users. This phase is where a managed IT services provider that specializes in CMMC compliance can bring the most value. A seasoned MSP knows the simplest ways to complete these improvements and can adapt your existing environment to new requirements.
Phase Four: Get Certified and Stay Certified
Certification requires a third-party assessment, and if your business is based around government contracts, it will be the first of many. Once certified, the task is to maintain all the new technologies and processes. All cyber security strategies end with a monitoring and remediation phase because it is very easy to let up on cyber security procedures.
The Time to Start Is Now
If your business relies on DoD contracts, the sooner you act to meet CMMC requirements, the better your chances are to secure the contracts. CMMC compliance can be a daunting task for many small and medium businesses, but this is where a security expert like RCS Secure can provide the most value. While there is no one-size-fits-all solution to compliance, a trusted technology partner can support complete CMMC gap assessments, assess your needs, and find the best ways to satisfy these requirements with both technology, managed security services, and cyber security education.
If your business is facing a CMMC audit, call RCS today.
