DoD Contractors Need Knowledge, Tools & the Right Partners
In early 2020, the US Department of Defense (DoD) released the first version of the Cybersecurity Maturity Model Certification (CMMC); a standard for all DoD contractors to implement. Before it’s launch, contractors were responsible for the security of their IT systems and any sensitive information that their systems stored or transmitted. Now, the adoption of CMMC requires third-party assessments of their compliance, including mandatory compliance with particular practices, procedures, and competencies. The goal of CMMC is to level-up cybersecurity across all DoD contractors, as well as demonstrate that each vendor has the ability to meet increasing and evolving cyberthreats.
CMMC Overview: The Basics
By 2025, all DoD suppliers will need CMMC certification. The level of certification needed depends on the level required by and listed in the types of Requests for Proposals (RFPs) that your organization wins by bid.
According to the CMMC Accreditation Body’s (CMMCAB) timeline, the go-live for commercial assessments and CMMC accreditation is Winter/Spring 2021. Training criteria is slated for release in fall, 2020.
The CMMCAB shares a variety of overview information on their FAQ page including:
- The initial implementation of the CMMC will only be within the DoD. At this point, no other Federal, non-DoD contracts require CMMC.
- CMMC relates to NIST in that CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1, plus other practices in specific instances.
- The CMMC model possesses five levels, and each level consists of practices and processes as well as those specified in lower levels. This is different from NIST SP 800-171.
- CMMC, also, assesses how an organization institutionalizes their cybersecurity processes.
- An organization can pursue CMMC certification by working with a CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.
- CMMC will establish a marketplace where approved C3PAOs will be listed.
- A CMMC certificate is valid for three years.
CMMC: Achieving the Level Required to Win Contracts
The CMMC combines cybersecurity standards and best practices into five levels, each of which has a set of required processes and practices.
To bid on a contract a DoD vendor must achieve maturity Level 3 and many contracts require higher levels of CMMC.
While the government provides a CUI System Security Plan (SSP) that covers the 170 cybersecurity processes and procedures, most vendors will struggle to successfully achieve the required CMMC level to bid and win the contracts they pursue.
CyLumena Partnered with Gradient to Help DoD Vendors Achieve CMMC
Their Quorum™ platform covers the full spectrum of cybersecurity, from identification, protection, detection, response and recovery required to meet CMMC Level 3 and above. In fact, their all-in-one solution meets 100 percent of CMMC Level 4 and 5 controls with embedded CMMC compliance and reporting, as well as advanced AI analytics, autonomy, and detection capabilities.
Reduce overhead and management with powerful identification, correlation and prioritization of threats to eliminate false positives. Legitimate threats are then easily remediated with detailed Situation Reports (SitReps) from our expert SOC team. Our virtual CISO service meets CMMC and DoD Revenue Assurance requirements. Plus, Gradient’s cyber Health Roadmap™ utilizes the NIST framework for all cybersecurity processes and procedures to identify, protect, detect, respond and recover from threats.
Powerful Allies to Strengthen Cybersecurity and Accelerate CMMC
Bid and win higher-level contracts that require advanced cybersecurity response and resiliency capabilities. Even with just a few cybersecurity resources in place, most organizations can fast-track to Level 3 certification and beyond with CyLumena and Gradient as your CMMC partners.