In a great slice of news for small-to-mid-sized DIB contractors, the Department of Defense (DoD) has announced that a CMMC 2.0 program structure is set to be released. The DoD has taken feedback on board from the first iteration of the model, with the main aim being to reduce costs — helping out the little guy in the process.
This comprehensive operation is designed to continue protecting you from cyberattacks of all descriptions, reinforcing great cooperation between the DoD and the sector as a whole for the foreseeable future.
But before we get into the nitty-gritty, we first have to answer a very specific question regarding the CMMC and how it can help benefit your managed IT services.
What is CMMC?
Cybersecurity Maturity Model Certification, or CMMC for short, is a program that was launched by the DoD in 2019. It was done to protect controlled, unclassified information concerning data being shared with the government’s Defense Industrial Base contractors.
Upon its creation, the program promised a far more in-depth and uniform assessment and certification process. In a short and dramatic way of looking at things, it ensures that cyber-terrorists aren’t able to acquire data that they otherwise wouldn’t have access to.
IT security is one of the most essential things you can have on your roster in the modern age. New and improved ways are being conceived every day to try and bring people down online, and you have to be prepared. With CMMC, additional clarity is provided on policy and regulations within the cybersecurity industry, and that can only be a positive as we move forward through this new age.
What is different with CMMC 2.0?
Announced in late 2021, the CMMC 2.0 assessment includes a three-level structure instead of five levels in version 1.0, allowing for a much more streamlined process from head to toe. There is also a reference to aligning the standard with the NIST standard - something that many DIB contractors have already started doing.
Above all else, this will make room for great cost-saving exercises for these contractors, with a new Foundational Level 1 in the new model that requires just 17 practices. This will follow an annual self-assessment model, removing the need for a third party to intervene.
As noted, the three levels in question are Level 1, Level 2, and Level 3, which are listed as Foundational, Advanced, and Expert. There are 110 practices aligned with NIST SP 800-171 in Level 2, which shifts to 110+ practices based on NIST SP 800-172 for Level 3.
Triannual government-led assessments come in at Level 3, with triannual third-party assessments for critical national security information at Level 2. However, there are also annual self-assessments for select programs too.
Take a look at the graphic below for an illustration:
How do I get a CMMC certificate?
An organization seeking certification must use authorized C3PAOs if they want to acquire certification — found using the CMMC-AB marketplace website. You’ll start by identifying the CMMC level your organization requires to bid on DoD contractors, choose a CMMC-AB vendor to help guide you through and run a pre-assessment exercise.
After the C3PAO takes your organization through an assessment in association with the CMMC requirements, the CMMC-AB will review the assessment. From there, you have 90 days to modify any issues found before a final decision is made. If and when you’re successful, this certification will last upwards of three years.
How long does it take to get CMMC certified?
Going through the various procedures to acquire CMMC certification can feel like a headache. In reality, though, on average, this is a six-month process for any organization. It’s often advised that you begin looking at starting the process in expectation of any bids, and by 2025, almost 500 prime acquisitions are expected to contain CMMC requirements.
It's a much easier road ahead once you’ve gotten to grips with the ins and outs, and you’ll be left feeling grateful once it’s all been pushed over the finish line.
Need help with cybersecurity maturity model certification? Contact Velo!
The cybersecurity maturity model certification can often be seen as a complex issue for some to handle. As such, it can be handy to bring in a team of professionals that are adept at using such a framework on a day-to-day basis - which is where Velo comes into the conversation.
We offer up IT support in a range of different ways, with CMMC falling into that category. Whether it be general guidance or a more specific play-by-play, we’re on hand to offer advice.
Building your business is one thing, but ensuring it continues growing and thriving is another entirely. So, if that sounds like something you’d be interested in, feel free to get in touch!