The Cybersecurity Maturity Model Certification designation and your business
Currently, over 300,000 companies conduct business with the U.S. Department of Defense (DoD). If yours is one of them, or you’re interested in working with the DoD in the future, you need to know about the Cybersecurity Maturity Model Certification (CMMC) and what it means for your business.
CMMC And Me: What It Is And Why You Need It
Introduced in 2020, CMMC is a certification that businesses are now required to obtain in order to begin or continue business with the DoD. CMMC is comprised of five levels of certifications that ensure the maturity and reliability of your business’s cybersecurity capabilities, to better protect sensitive data stored within your systems. These five levels build upon each of the previous levels’ requirements and work together to establish a secure cybersecurity baseline across your business. Levels range in requirements from “basic cyber hygiene” to more sophisticated processes that allow for continued updates and improvements of your business’s cybersecurity plan. The goal is to help ensure your business has the capability to not only detect potential threats, but to prevent new threats as they develop.
This requirement comes as part of a larger effort within the DoD to respond to recent cyberattacks and prevent sensitive information from being extracted from contractors’ information systems. Working alongside top researchers, the DoD designed CMMC as a way to ensure that all contractors they work with have unified cybersecurity protocols in place to better prevent against threats and attacks. In this new system, businesses must attain the certification to prove they can adequately protect sensitive information. Businesses that do not comply with CMMC will be unable to conduct business with the DoD or apply for future contracts until CMMC compliance is met.
Overview: What You Need to Know About CMMC Compliance
The first step to becoming CMMC-compliant is recognizing that your business needs a plan to become certified sooner rather than later. Here’s what you need to know:
- Getting ahead will only benefit you. Preparing for CMMC early can help streamline the process and help make the certification easier to obtain.
- Take stock of your business’s cybersecurity infrastructure. Note current practices that may already comply with CMMC and identify potential areas of weakness that will need to be addressed.
- Register with a C3POA accredited assessor. To ensure a greater level of accuracy and unbiased assessment, authorized third-party assessment organizations, or C3PAOs, are responsible for issuing CMMC certificates to businesses – not the DoD directly. As of June 2021, Rea & Associates earned recognition as a CMMC-RP and is on the way to becoming a C3PAO.
- The costs associated with becoming CMMC-compliant vary and increase by level of maturity. According to a statement from the chief information security officer at the Office of Defense Acquisition & Sustainment, a business should expect to pay anywhere between $3,000 to $5,000 for the CMMC level one certification – with costs increasing at each level. The good news? CMMC preparation is an “allowable cost” and, in most situations, is reimbursable by the DoD. This means DoD contractors are eligible for reimbursement for the preparation and remediation work required to obtain CMMC.
- CMMC certificates are valid for three years. Renewal of certifications will be required on a continual basis to ensure businesses stay up to date on cybersecurity requirements.
- While all companies working with the DoD will need to become CMMC-compliant, individual contracts with the DoD may require different levels of certification. As a best practice, it’s advisable to obtain all five parts of CMMC to ensure your business is completely compliant and able to carry out business with the DoD at any CMMC level.
How to Begin the Certification Process
CMMC can be an intimidating process for contractors working with the DoD, but you don’t need to pursue certification alone. Our team of Rea cybersecurity experts and CMMC registered providers can help you every step of the way. Contact me to learn more about CMMC and how your business can obtain certification.
By Travis Strong, CISA (Wooster, OH)