Who Need a Cybersecurity Maturity Model Certification?

CMMC compliance

Hackers often go after the low-hanging fruit, such as credit cards and bank accounts. But occasionally, they go after the big fish: government agencies. In light of the recent armed conflicts, the US government has warned about the huge risk of foreign cyber attacks.

In order to beef up its security, the Fed has to shore up its defenses with independent contractors. To do this, they established the Cyber Security Maturity Model Certification. A business must be CMM compliant if they want to continue contracting with the US government.

Keep reading as we discuss what the Cyber Security Maturity Model certification is and who needs it.

What Is the Cyber Security Maturity Model Certification?

The Cybersecurity Maturity Model Certification (CMMC) is a project of the Department of Defense (DoD). This is one of many government agencies responsible for national security and safety. One of the key areas that they tackle is cyber security for the United States.

Security contractors who are partners of the DIB (Defense Industrial Base) must adhere to strict standards for protecting information. Specifically, unclassified information that they received from the DoD.

The DoD wants to be sure that they can trust any third-party is that they are working with. In essence, the CCM certification process ensures these third parties keep the highest standards. Any time that they handle sensitive information, they need to use proper encryption and protocol.

Recently, the DoD updated its CMMC program with a 2.0 version. It includes the following changes.

Tiered Model

The tiered model means that the more sensitive the data, the better protection it requires. Contractors dealing with highly sensitive data will need to enforce much more rigorous protection protocols.

Further, the DoD wants to protect information that trickles down to any involved subcontractors.

Assessment Requirement

Similar to audits by IT support companies, assessments are tests of compliance. The DoD will thoroughly test all of its partners to make sure that they are CMM compliant.

Implementation through Contracts

After passing the assessment, the DoD contractors have to prove their continual high-security practices. They will have to reach a specific CMMC level. Fail to do so, and they may not receive future contracts with the DoD.

Who Needs the CMM Certification?

As noted earlier, compliance certification is for DoD contractors. This includes anyone working for the DoD directly, or in its supply chain. CMM certification is a condition of winning a DoD contract.

The requirement for CMM compliance extends down to other organizations, such as MSPs (managed service providers). This also includes MSSPs (managed security service providers). It goes without saying that you should be clear about what services you provide; otherwise, you will be guilty of violating the False Claims Act.

You also must be CMM compliant if you are working with anyone who comprises part of the supply chain for the DoD. That means that as a subcontractor for a DoD contractor, you are responsible.

And, as we stated before, contractors have the heaviest burden. If they are passing information down to subcontractors, they must be CMM compliant. This effectively creates mutual accountability between contractors and subcontractors.

You will still need to adhere to CMMC compliance regulations if you are much further down the chain. That said, this compliance will be created at a much lower level. In other words, the DoD will give you far less responsibility based on what exactly you are handling.

Future CMM Certification

You may also require a CMM certification in the near future. This pertains specifically to those with contracts that have a micro-purchase threshold that exceeds $10,000. By the estimate of the DoD, about 48,000 contractors will fall into this category by 2025.

Exceptions to CMM Certification

You have no obligation to get your CMM compliance certification if you are a COTS contact. COTS stands for a commercial off the shelf provider.

That said, experts recommend that you get at least level 1 CMMC controls taken care of. This is because many experts predict that the DOD will include COTS in their future requirements. This is because distributors and manufacturers are having contact more often with unclassified or classified data.

What CMMC Level Is Best for You?

It’s impossible to give an exact answer. You will need to find out on your own using DoD guidance how much CMMC responsibility you have. The easiest way to determine this is by how much CUI (controlled unclassified information) you have contact with.

Here are some examples of DOD CUI that your business may be having contact with:

  • Shipping locations
  • Test reports
  • Software source code
  • Technical orders
  • Weekly status reports
  • Time-compliant technical orders (TCTO)
  • Program protection plans (PPP)

Sometimes, it is difficult to tell whether the data you handle falls under this umbrella. We have not covered all of the sensitive data types here. There are more, such as IP, PHI, ACPI, CHD, PII, and FERPA.

Review the DOD’s resource pages to get an idea of how to classify your data.

How Long Does CMMC Certification Last?

Certification is valid for three years. Your certification is dependent on whether you pass your assessments. Requirements may change even after you have obtained CMMC certification.

Do understand that CMMC does not apply to your entire organization? Only the components of your networks and information systems that directly handle CUI need to meet CMMC standards.

Naturally, things are changing over time. In the coming years, the DOD could well implement version 3.0.

Also, take note that there is talk that other government agencies may adopt CMMC. Just because your organization does not fall under this umbrella doesn’t mean you are exempt. Keep up-to-date with the latest news in case you need to obtain CMMC certification.

Get Rock-Solid Security With Be Structured

The Cybersecurity Maturity Model Certification is the DOD’s way of ensuring all of its contractors have the best security practice. If you contract or subcontract for the DOD, you may need to get CMM compliant. Regulations are expanding, so in the future other agencies may require it as well.

Be Structured Technology Group provides everything you could ever want from a Los Angeles IT support outfit.

Get full-featured, 24/7 IT support for your business from the best Los Angeles managed service provider.

About Chad Lauterbach

CEO at Be Structured Technology Group, Inc. a Los Angeles based provider of Managed IT Services for small business. I desire to help small businesses better utilize technology by assisting in high level planning to make sure that new systems will benefit them both operationally and financially. I am careful to implement and support systems using industry best practices.