The Office of the Under Secretary of Defense for Acquisition and Sustainment has recently issued a statement that security is foundational to acquisition and its importance should be considered with the same weight as cost, schedule, and performance moving forward.
The Cybersecurity Maturity Model Certification (CMMC) was created to ensure the Defense Industrial Base of government contractors is adequately protected by the adoption of stronger cybersecurity practices. Currently, compliance with the existing NIST 800-171 standard is based on self-assessment by the contractor itself.
For contractors not currently in compliance with NIST 800-171, a Plan of Action and Milestones (POAM) can be used to detail a plan to achieve compliance. Under CMMC, POAMs no longer exist. CMMC certification levels will be attained through an audit and all required controls must be in place at the time of the audit.
CMMC certification levels range from “Basic Cyber Hygiene” (Level 1) to “Advanced/Progressive” (Level 5). At a minimum, any company handling Controlled Unclassified Information (CUI) will be required to meet the requirements of Level 3. To achieve Level 3, a government contractor must fulfill all 110 of the practices and/or controls specified in the NIST 800-171 standard, along with 20 additional practices.
Commencing in September 2020, select RFPs will specify the required CMMC level in sections L & M of the Request for Proposal (RFP). For contracts that require CMMC, you may be disqualified from participating if your organization is not certified.
Rimstorm can help you prepare for your CMMC audit in a number of ways. We can provide a CMMC Cybersecurity Review which will detail all gaps in your processes and/or controls required to achieve CMMC certification. This report will also make recommendations on how to correct these deficiencies. If desired, we can also help fill in the gaps through managed security services and other cybersecurity services.