If your company is part of the Defense Industrial Base sector, you have already heard about the new Cybersecurity Maturity Model Certification program that is slated to be passed as soon as May 2023. Compliance with CMMC 2.0 will be required for businesses that wish to fulfill government contracts.
Why Is CMMC 2.0 Important?
CMMC 2.0 is designed to ensure the safety of Federal Contract Information and Controlled Unclassified Information. Cyberterrorists and other threats against CUI can place the United States in jeopardy. Certifying government contractors in top-level security techniques helps keep America safe.
What Does CMMC 2.0 Certification Consist Of?
There are three levels of CMMC 2.0 certification:
Level 1: Foundational
Companies that must protect Federal Contract Information should be certified at this level. Businesses will need to meet the 17 controls described in FAR 52.204-21, the Basic Safeguarding of Covered Contractor Information, that focus on the security of FCI.
Level 2: Advanced
Companies that work with Controlled Unclassified Information must meet the requirements outlined in the National Institute of Standards and Technology SP 800-171 to obtain this certification. This level is comprised of 14 levels and 110 security controls designed to protect sensitive data against cybersecurity attacks.
Level 3: Expert
Companies participating in the Department of Defense’s highest priority programs will require a Level 3 certification. This level focuses on reducing the risks from Advanced Persistent Threats by adding the mastery of NIST SP 800-172 controls to the requirements for Level 2.
How Are CMMC 2.0 Levels Certified?
Each level will be certified in a manner appropriate to the information it protects. Level 1 companies will perform an annual self-assessment to ensure they are meeting the appropriate standards.
As Levels 2 and 3 deal with more sensitive information, certification protocols are more rigorous. Companies seeking Level 2 certifications will participate in triannual third-party assessments that are designed to ensure the safety of critical national security data. Level 3 organizations will be certified triannually by a government-led assessment team.
When Will CMMC 2.0 Requirements Be Needed?
It appears that CMMC will gain final approval in May 2023, with contract implementation beginning 60 days later in July 2023. The full rollout will take years, perhaps not fully implemented until as late as 2026, but since there is no way to know which rollout your company’s contracts will fall under it is prudent for organizations wishing to bid on government contracts to be fully compliant with CMMC by July 2023.
How Can Companies Prepare for CMMC 2.0?
Companies wishing to stay competitive in the DIB should begin their compliance journey by working toward the 110 practices outlined in NIST SP 800-171. Meeting these controls can take up to 18 months so the time to get started is now.
If your company would like to expedite the compliance process, employing a CMMC audit team can help determine your company’s starting point, gain support through the ramp-up process and complete a full audit to be sure you are prepared for the new contract requirements.
CMMC 2.0 is a new tool that will help protect sensitive government information from cyber threats and cyber-attacks. Early compliance will position your business for success.