The Cybersecurity Maturity Model Certification (CMMC) came onto the IT security stage in September of 2020, introducing new standards of accountability and security. It was then updated to CMMC 2.0 in November 2021 to streamline the model, reduce assessment costs, and add more flexibility to help the hundreds of thousands of SMBs within the Defense Industrial Base. While the rulemaking is not yet complete, the timeline to achieve and show compliance will be short as the DOD views CMMC as a critical step in protecting controlled unclassified information (CUI) as well as federal contract information (FCI).
CMMC is built upon pre-existing standards like the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks. Unlike DFARS, however, CMMC is strictly enforced and requires every defense contractor and subcontractor to be audited and certified by a third party auditor (3PAO). Holding the CMMC will enable you to bid and hopefully win DOD contracts, but without the certification, you will either be ineligible or forfeit part of a contract award!
CMMC is broken into three maturity levels. If you even remotely meet the standards set forth in DFARS or NIST 800-171, you should easily meet the procedural and process requirements of Level 1. However, meeting higher-level requirements may be challenging depending on your organizational maturity. Lucky for you, our flagship solution, Q-Compliance, assesses your environment, identifies failing controls, and provides step-by-step instructions to get to the next level. It also stores the needed evidence, files, links, and human activity to show auditors you’re ready to win that next contract.
The first step to getting your CMMC is knowing exactly how CMMC will affect your organization.
1) Who needs a CMMC? And if I don’t handle controlled unclassified information (CUI) do I really need a certification?
If you currently hold a DOD contract or are planning to bid a contract (and win), you’ll need to demonstrate CMMC compliance. “But my company is only supplying snacks for vending machines!” You’re in scope of CMMC. It applies to every direct contractor and all subcontractors to that firm. There are over 300,000 companies that make up the Defense Industrial Base (DIB), and all 300,000 will need to achieve and demonstrate a minimum of Level 1 CMMC compliance.
2) How do I get CMMC certified?
2) How do I get CMMC certified?
With the changes in CMMC 2.0, it is no longer necessary for all companies to be externally certified. If your company only needs a Level 1 certification to work with the DOD, you only need to provide an annual self-assessment and annual affirmation. Level 2 adds the requirement of triennial third-party assessments via a C3PAO for critical national security information and triennial self-assessments for other programs. Level 3 requires triennial government-led assessments.
While Qmulos is not a C3PAO, we provide the software to self-assess against the stated controls with our out-of-the-box CMMC dashboard and prove to yourself, or the C3PAO of your choice, where you stand.
3) Why was CMMC created?
Simply put, it’s good for the industry. The DOD needed a streamlined way to assess and enhance the cybersecurity posture of its contractors and subcontractors in the DIB. The CMMC is intended to serve as a verification mechanism, ensuring appropriate levels of cybersecurity practices and processes are in place. Furthermore, CMMC ensures basic cyber hygiene and protects CUI that resides on the Department’s industry partners’ networks.
4) Where should I start?
As a DOD supplier, you most likely hold or create government data like Federal Contract Information (FCI). There is a good chance you hold CUI too. If you store, process, or transmit CUI, you will need at least Level 2 certification. Also, if you hold or export controlled (i.e. ITAR) data, that is considered CUI and it will be subject to at least Level 2 requirements as well as additional ITAR-related data sovereignty rules.
5) Does CMMC replace DFARS?
It does not replace DFARS or NIST 800-171. CMMC builds upon these standards by clarifying some controls and adding additional requirements around practices and processes.
6) Do all my systems need to be at the same level?
No. CMMC version 1.0 stated that contractors can choose to “achieve a specific CMMC level for its entire enterprise network or for a particular segment(s), or enclave(s), depending on where the information to be protected is handled and stored.” This is important because minimizing the systems that store, process, or transmit CUI data minimizes your attack surfaces and lowers compliance costs. For example, do you have a cloud-based CRM? If you don’t put any government data in the system, you might be able to exclude it from your boundary.
7) Am I allowed to self-certify?
Organizations that only need to be Level 1 compliant are allowed to self-certify. For Level 2, you will need to hire a C3PAO, which the CMMC Accreditation Body (Cyber AB) will accredit to perform the audit. You can find a registered C3PAO in the Cyber AB Marketplace.
8) Is there a one-stop-shop for all CMMC needs?
No, but Qmulos and Splunk get you close! Meeting the requirements of CMMC takes the integration of multiple solutions. Compliant platforms, encrypted assets, data back-ups, monitoring and management solutions all need to work together to eliminate cyber-vulnerabilities. However, using Qmulos’ suite of solutions on top of Splunk is a great place to start. As native Splunk-powered solutions, Q-Compliance and Q-Audit solve the problem of adhering to CMMC and other security standards. Q-Compliance and Q-Audit are purpose-built to streamline and automate complex cybersecurity requirements like CMMC.
We further enhanced Q-Compliance with features specifically for CMMC, building the product upon the same standards and best practices used in the new security model. Similarly, Q-Audit provides prescriptive, out-of-the-box auditing capabilities to meet ICS 500-27, the gold standard for threat management. The ICS 500-27 standard will satisfy many of the practice requirements from the CMMC Audit and Accountability domain. As stated previously, these solutions will meet the needs of the auditors and track all human activity, technical evidence, and files and documents.
9) How long does certification take?
This takes time – months even. If you are starting from scratch, you should plan for at least six months to become compliant. Writing policies, deploying solutions, and instituting the necessary culture changes are all efforts that take time. Finally, if you do not have a compliance expert on staff, make the investment to hire one, either internally or externally. There is still a lot of confusion in this space and it’s just not fair – or good practice for your company – to throw your IT manager into the deep end without any help. Furthermore, self-assessments and audits, depending on how mature your security posture is, can take weeks, multiple teams, and many resources.
10) How much will certification cost?
The cost of certification will vary. Factors like the number of systems, organizational cyber maturity, self-assessment results, and audit evidence all have an effect on cost. The DOD will be developing cost estimates as part of the rulemaking process. However, DOD guidelines state that whatever the cost of certification, it is reimbursable and considered an allowable expense.
What next?
Give Qmulos a call, request a demo, or ask your Splunk representative about Qmulos! We provide our clients with the best-in-class compliance software to self-assess their organization in preparation for an audit. Whether you are completely in the dark, or perhaps just have a couple of spots where you need assistance, we have the expertise to help.
Check out our Q-Compliance and Q-Audit white papers where we break down the intricacies of the solutions a little bit more.
If you still have questions, additional frequently asked questions are available on the CMMC website.