What is CMMC Compliance and How Should You Get Started?
ABS Quality Evaluations
Calling All Department of Defense Contractors
If you do business with the DOD, you are probably aware the CMMC program became a Defense Federal Acquisition Regulation Supplement (DFARS) requirement as of November 30, 2020, in concert with the “DFARS Interim Rule.” In simple terms, the CMMC program mandates cybersecurity requirements for companies that comprise the Defense Industrial Base (DIB). The intent of the program is to bolster the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The DOD considers the CMMC program a vital component of the DOD’s response to the ever-increasing barrage of cybersecurity threats. CMMC 2.0 requires companies to undergo third-party assessments by approved C3PAOs or, for those companies storing, processing, or using the most sensitive information, to also be assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Other companies may be permitted to conduct and report compliance with CMMC requirements through a self-assessment and reporting process.
Why You Need to Be an "Early Adopter" of CMMC
Regardless of the CMMC level to which you certify, this is a laborious and time-intensive process. We recommend you start now and become an “Early Adopter.” There are several reasons we recommend you get a head start:
- The process of defining scope takes time. You'll have to ask several questions, including: “Do I have FCI or CUI? Where is it stored or processed? Is information located in email or file stores?”
- The process of implementing security controls takes time and resources. In some cases, you may need to:
- Plan capital expenditures over a period of years.
- Confirm the right expertise to assure security controls we use are implemented correctly.
- Most companies in the Defense Industrial Database (DIB) will require some form of certification or self-attestation; there will be stiff competition for the limited availability of reliable and trustworthy resources. The line will be long, it's not a good idea to wait.
- Avoid lost revenue. DOD suppliers that are not in compliance with CMMC requirements will not be able to continue an awarded contract. This could be financially destructive to smaller companies.
Think about it; getting the five-ton elephant off your chest will set you at ease and further put you ahead of your peers in competition for new solicitations.
How Should You Get Started? Establish Your CMMC Compliance Timeline.
As a maturity model, CMMC allows companies to start with the controls they have in place and build more robust programs by adding more controls and processes. Managing your timeline during this ongoing process will be key to your success as you compete for DOD contracts in the future.
- Nail down what information you have. Start by determining the appropriate CMMC level. Don’t short-change yourself. You may only need Level 1 compliance now, but two years down the road, you may win a contract requiring Level 2 compliance via a third-party assessment.
- Conduct a gap assessment to define your current security posture.
- Create a System Security Plan (SSP) and Plan of Action and Milestones (POA&M).
- Calculate your DOD Assessment Score and update or enter your score in the Supplier Performance Risk System (SPRS).
- Implement necessary security controls, policies, processes and procedures.
- Conduct a follow-up self-assessment and update your score in SPRS.
- Undergo a CMMC Assessment with a CMMC Certified Third Party Assessor Organization (C3PAO).
- Address your security findings.
- Receive your CMMC certification. The C3PAO will submit your assessment results to the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB).
- Stay informed and updated regarding all CMMC program updates.
ABS Quality Evaluations: Your CMMC Experts
ABS Quality Evaluations (ABS-QE), a C3PAO canidate, is ready to conduct your CMMC assessment. As a Licensed Training Provider (LTP), we stand ready to provide guidance and mentoring to help you implement a cybersecurity program targeting the achievement of your certification.
Our services include Consulting (ABS Group), Training, Self-Assessments, Gap Assessments, ISO/IEC 27001, ISO/IEC 20000-1 and ISO 9001 certification.