November 17, 2020
Do you think you know enough about CMMC in order to obtain your certification? You might want to double-check some of the core items you may have read. There’s a surprising amount of misinformation floating around out there, and we’ve identified several common myths associated with CMMC assessments. Today we’re debunking some of those myths so that contractors won’t be caught off guard and miss out on a DoD contract as a result.
Myth 1: CMMC is the same as NIST.
Since CMMC is built upon NIST 800-171, there’s a misconception that the two are the same, or that CMMC is simply NIST with a new name. There are significant differences, however. While NIST 800-171 measures your ability to satisfy a set of standard controls, CMMC maps your cybersecurity processes and practices to one of five maturity levels. Being NIST compliant satisfies only some of the requirements for Levels 2 and 3 of CMMC. Achieving Level 3 requires another 20 controls with additional processes, and Levels 4 and 5 demand even more work. In addition, you can only get CMMC certified through a third-party audit from a C3PAO.
Myth 2: CMMC won’t affect us.
Referring back to Myth #1, once again we must stress the point that CMMC isn’t NIST. NIST allowed contractors to self-verify that they met, or were in the process of meeting, the required controls. It effectively had no teeth.
Conversely, all DoD contractors will absolutely need to be CMMC certified at the level specified in the DoD’s Request for Proposal (RFP). Those that aren’t will automatically be disqualified from being awarded the job. Furthermore, you will not be able to self-verify. Certification will be done through an audit conducted by a third-party assessor and overseen by the CMMC-AB.
Myth 3: CMMC isn’t cost-effective.
Setting aside the fact that you can’t afford the loss of business from missing out on profitable government contracts, the DoD has assured contractors that certification for Levels 1-3 will be affordable. The contracts housed within those maturity levels account for many of the small and medium-sized businesses working with the DoD. While achieving Level 4 and 5 certifications may be more expensive, these levels cover larger contracts, typically handled by larger organizations for which the cost is not prohibitive. Furthermore, CMMC preparation can be reimbursable, which means it’s an expense that can be specified within the contract and billed to the DoD.
Myth 4: There’s plenty of time left to get CMMC certification.
Yes and no. The fact is, if you aren’t bidding on a new contract, your CMMC certification isn’t necessarily an immediate imperative in the strictest sense. The DoD has said the highest level required by any contract in the first year would be Level 3. At the time of writing this article, higher maturity levels are not yet finalized. At least 15 Governmentwide Acquisition Contracts (GWAC) are scheduled to be released in FY2021 with CMMC requirements. The DoD is very conscious and cautious of how the CMMC ecosystem will function and hopes to avoid bottlenecks. However, companies who believe they will need to be certified soon should start the pre-assessment process now, allowing ample time for remediation and reassessments before their official C3PAO audit.
With Rimstorm as a C3PAO and having our own in-house CMMC Provisional Assessors under the CMMC-AB, we can give you a leg up on the certification process. Contact us today for CMMC preparation and assessment, and stay ahead of the curve.