Who Needs the Cybersecurity Maturity Model Certification (CMMC) And How to Prepare

Taylor Karl
Who Needs the Cybersecurity Maturity Model Certification (CMMC) And How to Prepare 550 0

Who Needs the Cybersecurity Maturity Model Certification (CMMC) And How to Prepare

The cybersecurity market is forecasted to be worth $403B by 2027 and 44% of global ransomware attacks target municipalities. The quick escalation of cyber-attacks has caught the attention of the Department of Defense. The increasing concerns regarding data security prompted the DoD to develop the Cybersecurity Maturity Model Certification (CMMC) to better equip professionals and companies to prevent data leaks and other cyber-attacks. Let's jump into who needs the CMMC and how to prepare for it.
 
What is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a multi-level model of some of the best cyber security practices from various industries. The CMMC Accreditation Body (CMMC-AB) works with the DoD to ensure that an independent, third-party assessment is available for contractors at each CMMC level. The CMMC is being phased in over the next few years, however, the importance of the certification will only grow more critical as the years count down to the 2025 deadline. The CMMC 2.0 framework has three key features: tiered model, assessment requirement, and implementation through contracts.
 
Who needs it?
Those who plan to do business with the DOD in any capacity ( every supplier across the supply chain and both prime/sub-contractors) will eventually be required to obtain the CMMC. Keep in mind that the timeline to complete all rulemaking requirements is projected at 9 to 24 months, which includes a mandatory 60-day public comment period and concurrent congressional review . With that said, even if the CMMC isn't a strict requirement for you or your company, it may be a good idea to look into the certification simply because it will show how cybersecurity strategies and practices are evolving. Also, by understanding the framework, you'll be a step ahead if the CMMC were to become a new industry standard.
 
The 3 Levels of the CMMC
CMMC includes 3 increasingly progressive levels:
  • Level 1: Foundational
Level 1 will include the 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171 meant for companies with FCI only. The department sees this foundational level as an opportunity to "engage contractors in developing and strengthening their cybersecurity posture." Level 1 assessments will be self-assessment by the use of the CMMC self-assessment guide.
  • Level 2: Advanced
CMMC 2.0 Level 2 includes the 110 controls of NIST 800-171 and is intended for companies with CUI. Level 2 is split based on the criticality of the information held by the organization and all assessments will be completed by Triennial third-party assessors and annual self-assessment for select programs.
  • Level 3: Expert
This level is for the highest priority programs with CUI and the assessments at this level will be completed by the government and not C3PAOs. Though Level 3 is planned to be based on a subset of NIST 800-172 requirements, the concrete details have not been released by the DoD.
 
How to prepare?
Remember, if you or your company are planning on working with the Department of Defense in any capacity, you will need the CMMC. The first step in preparing for the CMMC is to identify the correct level of certification. This means getting with the prime and/or subcontractors to evaluate your contracts to see what data your company is allowed to access. This will help you to determine which level your employees are required to complete. After you find which level is necessary, the next step is to evaluate where gaps exist in the cyber security processes and tools you have in place. Understanding where you are needing improvement is a great way to focus the areas of training without wasting time or money down the road. Lastly, you'll need to document everything. As the time in your contract progresses, having documentation from Certified third-party assessors can be critical for demonstrating higher levels of cyber security maturity.
 
Takeaways
The CMMC is projected to take up to 24 months to become fully certified and time is ticking quickly to the overall deadline. The time to get everything started is now. United Training can help you become fully compliant with training led by industry leading subject matter experts. We offer various courses to equip your employees for the implementation of the CMMC procedures and practices.
 
For more information on CMMC courses visit our CMMC page today to beat the deadline!
Print