CMMC: The Top 10 Things to Know

The Cybersecurity Maturity Model Certification (CMMC) came onto the IT security stage in January of 2020, introducing new standards of accountability and security. CMMC is built upon pre-existing standards like the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks. Unlike DFARS, however, CMMC is strictly enforced and requires every defense contractor and subcontractor to be audited and certified by a third party auditor (3PAO). Holding the CMMC will enable you to bid and hopefully win DOD contracts, but without the certification, you will either be ineligible or forfeit part of a contract award!

CMMC is broken into five maturity levels. If you even remotely met the standards set forth in DFARS or NIST 800-171, you should easily meet the procedural and process requirements of Level 1. However, meeting higher level requirements may be challenging depending on your organizational maturity. Lucky for you, our flagship solution, Q-Compliance, assesses your environment, identifies failing controls, and provides step-by-step instructions to get to the next level. It also stores the needed evidence, files, links, and human activity to show auditors you’re ready to win that next contract.

The first step to getting your CMMC is knowing exactly how CMMC will affect your organization. As such, we’re going to answer the top 10 most Googled CMMC questions:

1) Who needs a CMMC? And if I don’t handle controlled unclassified information (CUI) do I really need a certification?

If you currently hold a DOD contract, or are planning to bid a contract (and win), you’ll need your CMMC. “But my company is only supplying snacks for vending machines!” You still need a CMMC. It applies to every direct contractor and all subcontractors to that firm. There are over 300,000 companies that make up the Defense Industrial Base (DIB), and all 300,000 will need to hold a minimum of Level 1 CMMC.

2) How do I get CMMC certified?

Before hiring an outside C3PAO, you should do a self assessment to determine if you are meeting Level 1. Level 1 consists of 17 controls and parallels the DFAR 52.204-21 requirements, which all federal contractors must meet. It represents basic cyber hygiene and the minimum standards any contractor should have already deployed. While Qmulos is not a C3PAO, we provide the software to self-assess against the stated controls with our out-of-the-box CMMC dashboard, and prove to the C3PAO of your choice, where you stand.

3) Why was CMMC created?

Simply put, it’s good for the industry. The DoD needed a streamlined way to assess and enhance the cybersecurity posture of its contractors and subcontractors in the DIB. The CMMC is intended to serve as a verification mechanism, ensuring appropriate levels of cybersecurity practices and processes are in place. Furthermore, CMMC ensures basic cyber hygiene and protects CUI that resides on the Department’s industry partners’ networks.

4) Where should I start?

As a DoD supplier, you most likely hold or create government data like Federal Contract Information (FCI). There is a good chance you hold CUI too. If you store, process, or transmit CUI, you will need at least Level 3 certification. Also, if you hold or export controlled (i.e. ITAR) data, that is considered CUI and it will be subject to at least Level 3 requirements as well as additional ITAR-related data sovereignty rules.

5) Does CMMC replace DFARS?

It does not replace DFARS or NIST 800-171. CMMC builds upon these standards by clarifying some controls and adding additional requirements around practices and process.

6) Do all my systems need to be at the same level?

No. CMMC version 1.0 states that contractors can choose to “achieve a specific CMMC level for its entire enterprise network or for particular segment(s), or enclave(s), depending on where the information to be protected is handled and stored.” This is important because minimizing the systems that store, process, or transmit CUI data minimizes your attack surfaces and lowers compliance costs. For example, do you have a cloud-based CRM? If you don’t put any government data in the system, you might be able to exclude it from your boundary.

7) Am I allowed to self-certify?

Organizations are not allowed to self-certify. However, each organization is encouraged to self assess in preparation for audits. You will need to hire a C3PAO, which the CMMC Accreditation Body (AB) will accredit to perform the audit. You can find a registered C3PAO in the CMMC-AB Marketplace.

8) Is there a one-stop-shop for all CMMC needs?

No, but Qmulos and Splunk get you close! Meeting the requirements of CMMC takes the integration of multiple solutions. Compliant platforms, encrypted assets, data back-ups, monitoring and management solutions all need to work together to eliminate cyber-vulnerabilities. However, using Qmulos’ suite of solutions on top of Splunk is a great place to start. As native Splunk powered solutions, Q-Compliance and Q-Audit solve the problem of adhering to CMMC and other security standards. Q-Compliance and Q-Audit are purpose-built to streamline and automate complex cybersecurity requirements like CMMC.

We further enhanced Q-Compliance with features specifically for CMMC, building the product upon the same standards and best practices used in the new security model. Similarly, Q-Audit provides prescriptive, out-of-the-box auditing capabilities to meet ICS 500-27, the gold standard for threat management. The ICS 500-27 standard will satisfy many of the practice requirements from the CMMC Audit and Accountability domain. As stated previously, these solutions will meet needs of the auditors and track all human activity, technical evidence, and files and documents.

9) How long does certification take?

This takes time – months even. If you are starting from scratch, you should plan for at least six months to become compliant. Writing policies, deploying solutions, and instituting the necessary culture changes are all efforts that take time. Finally, if you do not have a compliance expert on staff, make the investment to hire one, either internally or externally. There is still a lot of confusion in this space and it’s just not fair – or good practice for your company – to throw your IT manager into the deep end without any help. Furthermore, self assessments and audits, depending on how mature your security posture is, can take weeks, multiple teams, and many resources.

10) How much will certification cost?

The cost of certification will vary. Factors like the number of systems, organizational cyber maturity, self-assessment results, and audit evidence all have an effect on cost. However, DOD guidelines state that whatever the cost of certification, it is reimbursable and considered an allowable expense.

What next?

Give Qmulos a call, request a demo, or ask your Splunk representative about Qmulos! Ready or not, it’s time to get started on the road to CMMC compliance. We provide our clients the best-in-class compliance software to self-assess their organization in preparation for an audit. Whether you are completely in the dark, or perhaps just have a couple of spots where you need assistance, we have the expertise to help.

Check out our Q-Compliance and Q-Audit white papers where we break down the intricacies of the solutions a little bit more.

If you still have questions, 23 additional frequently asked questions are available on the CMMC website.