Author TruMethods Standards Manager, Brian Dappolone
If you have not heard of the Cybersecurity Maturity Model Certification (CMMC) yet, it is not the end of the world. The latest certification requirements were finalized by the Department of Defense (DoD) on January 31st and at the moment they are in the process of approving auditors for the new certification. What does this mean for you as an MSP? Not a whole not unless you and your customers meet specific criteria.
The DoD website answers some of the basic questions needed to understand the CMMC, why it is important, and who qualifies for the certification.
What is the CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
Why is the CMMC being created?
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
How will my organization become certified?
The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org).
The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
I am a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, so long as your company does not solely produce Commercial-Off-The-Shelf COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.
How does my company become a CMMC third-party assessor organization (C3PAO)?
The CMMC AB will provide information and set requirements for prospective C3PAOs and individual assessors. Prospective C3PAOs and assessors should reference the CMMC AB website (www.cmmcab.org).
In a nutshell, if you do not handle CUI or personally perform government contracts, there is no need to worry about the certification. If your customers are involved in DoD contracts or anything mentioned above or on the website, it is better to be safe than sorry and look into the next steps.
TruMethods does not offer advice on this type of content. It is wise to consult proper legal counsel on these matters. This blog post references information cited by the Department of Defense. Visit the official website for answers to additional questions on the Cybersecurity Maturity Model Certification.
Written by TruMethods Standards Manager, Brian Dappolone