Organizations may be wondering what the new “Cybersecurity Maturity Model Certification” (CMMC) requirements are, if they pertain to them, and how to become certified themselves. Below is some information which should help make sense of it all.
What is CMMC?
CMMC is a standard for implementing cybersecurity. Its framework includes a certification element to confirm processes and practices are in place at your organization. The intention is to protect sensitive unclassified information in the supply chain. All organizations that conduct business with the Department of Defense (DoD) will soon be required to be CMMC certified. For the 220,000 DoD contractors and sub-contractors, this is critical news.
The initial implementation of the CMMC will only be within the DoD, and not necessarily for all the Federal non-DoD contracts. However, the DoD is rolling out this requirement in a phased approach until all contracts require certification on September 30, 2025. In this first year of the rollout, only 15 contracts will have this requirement.
The CMMC Model
The CMMC model has 5 maturity levels, and only level 1 will be required to start. CMMC level 1 has 17 requirements which were directly lifted from NIST 800-171. Future DoD contracts will define what CMMC level is required and may require higher maturity levels over time.
What happens if a company that is CMMC certified get hit with an attack or suffers a breach? Although it will not result in the loss of the certification, the DoD may enforce a re-assessment.
An organization may believe they meet the right CMMC level criteria; however, they cannot self-certify. They must use an accredited auditor certified by the CMMC Accreditation Board (CMMC-AB). The CMMC-AB recommends companies conduct an assessment before attempting an audit. Check out our CMMC FAQ page to learn more!
Although companies may conduct self-assessments before initiating an audit, they can alternatively contact Peters & Associates to assist with an assessment, as well as any required remediation work.
Peters meets and exceeds CMMC level 1 requirements by having achieved the CompTIA Security Trustmark+ designation. CompTIA Security Trustmark is based on the NIST Cybersecurity Framework and demonstrates compliance with key industry regulations, such as DRAFS, FISMA, PCI-DSS, SSAE-16, & HIPAA. Contact us at firstname.lastname@example.org to learn more – we are happy to help!