The Cybersecurity Maturity Model Certification (CMMC) is here and has the potential to establish a new security framework for other public agencies. CMMC compliance for MSPs and IT pros working with the Department of Defense (DoD) or its contractors should be a priority for 2021 to maintain business as usual.
This month, the Cybersecurity Maturity Model Certification (CMMC) was officially adopted as the new standard for Department of Defense (DoD) contracts. By October 2025, every DoD contract will require contractors to be certified by a third-party assessor on a five-level rating system. For IT pros working with defense contractors or the DoD directly, understanding the new CMMC rules and how to adhere to them is instrumental to the success of the business. Eventual CMMC compliance may reach managed services providers (MSPs), too, as other public agencies adopt higher security standards.
The CMMC consists of five levels, with Level 1 being the easiest to attain and Level 5 being the most difficult and costly to attain. At Level 1, an organization must adhere to 17 required controls designed to maintain cyber hygiene and protect federal contract information (FCI) and controlled unclassified information (CUI). To achieve CMMC Level 5, an organization must adhere to 171 required controls. The good news is that according to Katie Arrington, Chief Information Security Officer for Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S), most contractors will only need to achieve a CMMC Level 1, and less than one percent of contracts will require CMMC Level 4 or 5.
The new rules were expressly designed to secure the DoD’s supply chain. In light of a growing number of breaches and ransomware attacks that hijack legitimate tools used by the public and private sector, following the guidelines laid out in the CMMC process can help stop these kinds of attacks in their tracks. This framework benefits IT pros working across every industry, as many of the cybersecurity hygiene rules, like requiring multi-factor authentication for users, are basics any organization could implement.
The DoD’s push to secure its supply chain may ultimately result in a new standard for civilian agencies. In fact, FedScoop reported that CISA officials have noted that civilian agencies will naturally benefit from CMMC implementation and that the agency aims to align their cybersecurity approaches and directives with CMMC as much as possible. With the possibility of the CMMC becoming a new federal standard, it can be a competitive advantage for MSPs to start getting up to speed on the new rules and incorporating federal security best practices into their business.
Whether you’re just getting started with Cybersecurity Maturity Model Certification rules or brushing up on your cybersecurity hygiene, here are some of the most important things to know about CMMC.
What is CMMC?
CMMC stands for the Cybersecurity Maturity Model Certification, a new standard that applies to all contractors and subcontractors of the Department of Defense (DoD). The new certification was designed as a cybersecurity framework to assure the protection of sensitive unclassified information and guard against supply-chain style attacks by cybercriminals.
CMMC is a five-level rating system. Level 1 covers basic cybersecurity hygiene practics, like using MFA. The number of requirements increase in complexity and cost at higher levels of certification. According to the OUSD A&S, less than one percent of contracts will require Level 4 or 5 certification.
When Does CMMC Go Into Effect?
CMMC was put into effect in December 2020. The rules will be phased into new DoD contracts over the next five years, with full implementation scheduled for October 2025.
How Do I Know What Certification Level I Need?
Most contracts will require only Level 1 certification, so this is an important first step all DoD contractors and subcontractors should hit. Beyond that, new contracts will indicate the CMMC Level required.
How Much Does CMMC Cost?
Katie Arrington, Chief Information Security Officer for OUSD A&S, estimates that meeting CMMC Level 1, the lowest standard, will cost $3,000 every three years to maintain. Higher CMMC levels are expected to become more expensive to achieve and maintain.
What Are The CMMC Level Requirements?
CMMC Level 1 consists of 17 cybersecurity practices, which addresses all practices outlined in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21. These pracitces include capabilities in asset management, configuration management, identification and authentication, and disaster recovery, to name a few.
CMMC Level 3 consists for 130 cybersecurity practices and includes all those in NIST SP 800-171r1. At CMMC Level 4 and 5, the requirements that DoD contractors must adhere to includes a subset of the practices from Draft NIST SP 800-171B and additional advanced cybersecurity practices.
To become certified, organizations must use an authorized and accredited CMMC Third Party Assessment Organization (C3PAO), who conduct CMMC assessments and assign CMMC certificates. The UOSD A&S plans to have about 1,500 companies certified in 2021 as new DoD contracts include the requirements.
What Does CMMC Mean For MSPs?
CMMC compliance for MSPs working with DoD connected clients may become a requirement and they should develop a plan for meeting the requirements laid out in CMMC Level 1. Doing so will allow the clients business to continue running smoothly and improve the overall security of non-DoD connected clients. Many of the requirements of CMMC Level 1, like the ability to provide security assessments and awareness training, can be valuable services to include in your Managed Services Agreement (MSA).
For MSPs engaged with other parts of the federal and local government, some level of CMMC compliance may become the new standard for public agencies, too. With the increasing rate of company breaches and the demand for cybersecurity services, CMMC can serve as a useful guide to identify a pathway for growing the business. CMMC was also developed in partnership with European countries like Switzerland and the UK, suggesting the possibility of an international cybersecurity standard and new growth opportunities.
How Can IT Pros Get Ahead of CMMC?
Start with ensuring services can be delivered through the cloud in order to accelerate CMMC compliance efforts and reduce costs. By leveraging cloud tools, IT pros can provide many CMMC practices that improve cybersecurity for the whole organization and mitigate risks.
Cloud-based remote monitoring and management tools can serve as important pieces in the cybersecurity tool chain. Not only can they accelerate the detection of vulnerabilities and management of security, the tools can be leveraged to coordinate and organize many core security functions like patch management and antivirus.
**For a complete FAQ, visit the OUSD A&S page on CMMC.