The Cybersecurity Maturity Model Certification (CMMC) is a new regulation created by the US Department of Defense (DoD) to improve the cybersecurity of the defense industrial base (DIB) and improve the low adoption rate of current compliance standards. Despite its slow scheduled rollout, some basic requirements like NIST 800-171 are still required in the meantime for businesses to comply with.
To help you prepare for this adoption, we outlined the top things you need to know about CMMC requirements for small businesses.
1. CMMC Will Affect Your Business
The goal of the CMMC is to improve the cybersecurity posture of the entire DIB. This includes all contractors and subcontractors on defense contracts starting with a few “trailblazer” contracts in FY 2021. Even if you are not one of the lucky early companies to secure a trailblazer contract, if you want to do business with the DoD in the near future, you will need to have your small business comply with CMMC.
This means you will have to review your current cybersecurity setup, compare your current posture to the requirements, work to meet those requirements, and have them officially checked by an approved auditor. All this takes time, resources, and funds that you need to prepare your business for.
Only businesses that provide off-the-shelf services to the DoD and who do not deal with controlled unclassified information (CUI) get to skip CMMC certification. If you do more than that, you will need to adhere to CMMC requirements for small businesses.
2. You Will Need At Least Level 1 Compliance
The CMMC defines 5 levels of compliance with Level 1 being the easiest to achieve. Each CMMC Level adds additional security controls and process requirements compared to the previous. All contractors and subcontractors are required to achieve at least Level 1 CMMC compliance, but higher levels may be required based on a company’s role on the contract.
An organization’s CMMC compliance strategy should be based on its intended role on defense contracts and the resulting access to CUI. If access to CUI is required, then targeting Level 3 compliance is a good idea.
However, the DoD’s goal is to move most companies to Level 3 – which is roughly equivalent to full NIST 800-171 compliance – or beyond. If your company uses more CUI or is highly integrated into the DoD network, you will likely need to achieve even higher compliance levels.
3. You Will Need to Budget for Compliance
CMMC requirements for small businesses are not free to set up, not cheap to get checked and cost money to maintain on an ongoing basis. Setting up the proper protocols, technology, and/or hiring good MSSPs does not come cheap, but it is an investment that pays for itself. According to Security Magazine, data breaches on average cost the average small business $36,000 to $50,000.
As for the auditing and accreditation process itself, once the adoption and rollout process speeds up, auditors will become hard and harder to come by, meaning you may have to pay a premium to get one to work with you. Take the time to estimate how much the process will total and prepare your business to take on the cost.
4. You Need to Get Started on Compliance Today
The DoD is planning a phased rollout for CMMC compliance. DIB contractors will not be expected to achieve immediate compliance to stay on existing defense contracts. Instead, the DoD plans to require CMMC certification to bid on future defense contracts.
The CMMC rollout process begins in FY 2021 with a set of pathfinder contracts designed to bring about 1,600 contractors into compliance. Over time, increasing numbers of contracts will require CMMC compliance until it is mandatory for all contracts.
The phased CMMC rollout means that immediate compliance is not required, but companies may not have as much time as it seems. Since the CMMC requires third-party audits and accredited auditors are scarce, significant backlogs may exist for CMMC compliance audits.
How Should I Get Started?
The DoD has published the requirements for each level of CMMC compliance. Once an organization has identified its target level, it can work towards implementing the necessary security controls.
An important first step in this process is performing a gap assessment to determine which controls a company already has in place and which are missing. Hyper Vigilance’s Compliance Assessment service provides a full gap assessment and risk-based remediation plan to help small businesses to improve their cybersecurity and achieve full compliance. To learn more about preparing for the CMMC, contact us.