The CMMC Key to Unlocking DoD Opportunity

CMMC Knowledge Hub

Is your organization secure enough to do business with the U.S. Department of Defense?

Proving that your organization is secure enough to do business with the U.S. Department of Defense (DoD) has taken a big leap forward with the arrival of the Cybersecurity Maturity Model Certification (CMMC). Get it right, and you successfully set the stage to compete for DoD contracts. Ignore it—or fail to achieve the certification level your business needs—and you’ve just slammed the doors of DoD opportunity shut.

Achieving CMMC compliance is a complex, multidimensional process, but if you work in the so-called “defense industrial base” that contracts with DoD—or plans to—you’re going to have to work with it. So here’s a quick lowdown on this important new credential and the essential facts on why it should be central to your cybersecurity planning.

Here’s what we’re going to cover in the next few minutes:

What is CMMC and Why Do We Need It?

Corporate data breaches have become a regular occurrence in the day-to-day activities of modern businesses, so common and widespread that many of us pay little attention even when we’re told our information was among that of the thousands or millions of people affected. In fact, the larger the breach—like Equifax’s 2017 doozy that allowed cybercriminals to access personal information on 145.5 million U.S. consumers—the more impersonal and abstract the danger feels.

But the U.S. Department of Defense can’t take a casual posture toward digital breaches. To the DoD and its contractors, security breaches can be lethal, potentially both endangering military personnel and threatening national security and the stability of democratic allies throughout the world.

That’s why the DoD developed the Cybersecurity Maturity Model Certification: to provide a standardized way to assess, improve, and certify the cybersecurity of both prime contractors and subcontractors in the department’s massive supply chain. Don’t forget to check out other aspects of CMMC in the rest of our Knowledge Hub series articles:

CMMC Knowledge Hub

The DoD released version 1 of the CMMC model on Jan 31, 2020 as part of the Defense Federal Acquisition Regulation Supplement (DFARS). Experts in CMMC say it’s built on, and closely aligns with, an earlier security standard from the National Institute of Standards and Technology’s Special Publication, NIST SP 800-171. Longtime contractors familiar with the earlier standard know it as the requirements that any non-Federal computer system must follow to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

That jumble of acronyms and numbers may sound complicated. That’s because it is complicated. What’s important to remember is that being part of this buzzwordy endeavor not only helps protect DoD data and assets but can make your own organization more secure in the process—regardless of who you’re doing business with.

Who Needs CMMC Certification?

First, the good news: CMMC is currently scheduled to be deployed via a phased approach until September 30, 2025.

But if you plan to do business and bid on contracts with the DoD (or work with an organization that does), you’re going to need some level of CMMC certification. And considering the many ways CMMC requires security to be woven into your company’s culture, practices, and technical infrastructure, the time to start preparing is now.

We’re not going into the details of the five distinct maturity levels right now, but be aware that each is designated by a particular combination of “processes” and “practices” whose meaning will become clearer as you dive deeper.

Processes Practices
Level 1 Performed Basic Cyber Hygiene
Level 2 Documented Intermediate Cyber Hygiene
Level 3 Managed Reviewed
Level 4 Reviewed Proactive
Level 5 Optimizing Advanced/Proactive

While these words and phrases are not completely intuitive, they do hint at increasing tiers of security sophistication in the progressive CMMC levels we discuss in more detail in the related article, “Understanding CMMC Maturity Levels.”

The level your organization needs to achieve depends on the sensitivity of information associated with products or projects you plan to bid on and will presumably be listed when a contract goes up for bid. While prime contractors may be required to achieve level 3 or higher, subcontractors may simply need to get level 1, or “Basic Cyber Hygiene.”

And the model is cumulative: Each level you go up includes and builds on what’s required—and you’ve achieved—at the previous level.

What Are the CMMC Requirements?

Conceptually, this is where it gets tricky, because the CMMC framework has a lot of moving parts—with some parts feeding into and overlaying on others.

In addition to the five maturity levels we’ve already touched on, the overall framework includes:

How Do I Get CMMC Certified?

Prior security standards from NIST were self-attested, meaning you could simply say you were compliant and be compliant.

CMMC shifts the burden of proving cybersecurity compliance from self-assessment to external assessments conducted by Third Party Assessment Organizations (C3PAOs).

Self-assessments should be conducted prior to working with C3PAOs, as these evaluations could yield findings that require you to develop a POAM, or Plan of Action and Milestones. This document details the specific measures your company will take to correct deficiencies found during a security control assessment, including tasks and the resources required to make the plan work.

Under NIST SP 800-171, companies that accessed or stored Controlled Unclassified Information (CUI) could substitute POAM—a plan of action—for actual completion of requirements. That’s no longer the case with CMMC.

A POAM can be valuable for driving your team’s preparation toward higher levels of cybersecurity maturity, but now you’ll have to actually meet the requirements of each maturity level to get that level of certification—not just promise you’re working on it via a POAM.

But before you’re ready for evaluation, there’s documentation to complete, technology to deploy, domains to learn about, processes and capabilities and controls to put in place, acronyms to make sense of . . . Deep breath. You can do this. And we can help.

Will CMMC Rock Society to Its Core?

Let’s be honest: It won’t. But successful use of the certification can help protect the cybersecurity of the U.S. defense establishment and all the soldiers, citizens, industries and allies who depend on secure information. So maybe not rocking society to its core is the true measure of success in this case.

But here’s the thing: If you don’t get a handle on CMMC, it could shake your own world by locking your business out of DoD bids. This means you’re handing opportunities to competitors who’ve got something you don’t.

And remember, a CMMC certificate will be valid for three years. So depending on how well your bidding goes for DoD contracts—and your company’s vision for the future—you may very well spend those three preparing for the next assessment.

Ready for more? Read the next article in our CMMC series, “Charting Your Cybersecurity Maturity Model Certification Path.”

Let's demo

Opportunity is knocking

See what Onspring can do for your CMMC certification plans.
Let's demo