The Cybersecurity Maturity Model Certification (CMMC): What You Need to Know

Big change is coming, just like it did with FedRAMP in 2022. The U.S. Department of Defense (DoD) will soon require companies bidding on contracts to meet Cybersecurity Maturity Model Certification (CMMC) requirements. CMMC is expected to become law within the next 12 months.

The DoD developed the CMMC to establish a unified cybersecurity standard for its defense industrial base (DIB), which includes more than 300,000 supply chain companies and 77,000 subcontractors.

CMMC compliance could be an uphill battle for many companies, especially mid-level to small contractors who maybe lack the resources and expertise to navigate its complexities and requirements. Key questions are whether they are compliant and whether they've created a plan to become compliant. Many have not.

These contractors often find themselves in a vulnerable position, as they may struggle to allocate the necessary time and funds to achieve CMMC compliance, which typically takes around 18-24 months and approximately $2M to accomplish. Without proper guidance and support, these organizations risk falling behind and losing their ability to compete for DoD contracts in the future.

Prepare for CMMC compliance

To be ready for CMMC, contractors should start determining their required CMMC level, based on the type of the information they routinely handle. Next, they should conduct a gap analysis to identify areas where their cybersecurity practices fall short of the required CMMC level.

Based on the findings, contractors should develop and implement a plan to address the identified gaps and improve their cybersecurity postures. Engaging with a CMMC Third-Party Assessment Organization (C3PAO) to schedule a CMMC assessment is also a crucial step.

Finally, contractors must maintain and continually improve their cybersecurity practices to ensure ongoing compliance with CMMC requirements.

Understand CMMC certification levels

CMMC has three certification levels, each with increasing cybersecurity requirements. Again, the required CMMC level for a contractor depends on the sensitivity of the DoD information each handles, with higher certification levels required for increasingly sensitive information.

Level 1: Foundational. (17 practices) An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."

An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."

Level 2: Advanced. (110 practices) An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.

An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.

Level 3: Expert. (110+ practices) An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.

An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.

Get started now, to start reaping rewards soon

Yes, achieving CMMC compliance is challenging and requires significant effort, resources and commitment from contractors to meet the stringent cybersecurity requirements set forth by the DoD.

However, you do have plenty of options:

• Partner with experienced cybersecurity service providers
• Invest in staff training and awareness programs
• Implement robust cybersecurity tools and technologies
• Regularly monitor and assess your cybersecurity posture

Succeed in the era of cybersecurity standards

The introduction of CMMC marks a significant shift for DoD contractors. While the journey to compliance may be challenging, it is necessary to protect sensitive defense information. By understanding the requirements, preparing diligently and seeking the right support, contractors can successfully navigate this new era of cybersecurity standards and continue to compete for DoD contracts.

It's a journey we can help you with. With our support, not only can you meet and surpass the challenges posed by CMMC, you can also open the door to new opportunities for your organization.

Ready to get started? Contact us today at:

• Rackspace Technology Government Solutions

Russell.Rodd@Rackspace.com

For more information on Rackspace Technology Government Offerings Visit:

Cloud Government Solutions | Unparalleled Expertise & Experience (rackspace.com)

Join the Conversation: Find Solve on Twitter and LinkedIn, or follow along via RSS.

Stay on top of what's next in technology

Learn about tech trends, innovations and how technologists are working today.