November 2021 update on CMMC 2.0: requirements have been pared down. For contractors who are still working on NIST 800-171 compliance, we don’t expect much to change in the near-term, though the burden of proof / evidence should be significantly lower.
Need help? Our coaching model helps you avoid high consulting fees.
CMMC certification is top of mind for any US government contractor. If that’s you, welcome! This article is going to dive into some helpful tips for new and seasoned contractors on their journey towards CMMC certification.
The United States Department of Defense (DoD) is launching the Cybersecurity Maturity Model Certification (CMMC) program to standardize cybersecurity procedures for US government contractors. Previously, contractors could self-assess their certification with NIST-800-171, but that will not be the case in the future. Contractors will need to be assessed by a third-party auditor and receive a certification maturity level.
Are you already saying ‘I’m confused - what is CMMC, NIST, etc?’ Let’s break it down a little more:
So if you’re a US government contractor and you want to continue being a government contractor, you need to care about CMMC certification.3
CMMC and NIST 800-171 are very similar. In fact, in November 2020, the US Department of Defense (DoD) came out with the Interim Rule, which requires companies to perform a NIST 800-171 assessment, fill out some documentation and upload a score to the DoD’s SPRS system.
A key difference between CMMC certification and NIST 800-171 certification is the varying maturity levels. CMMC has five levels of maturity, while NIST 800-171 is one list of security requirements. These five maturity levels of CMMC certification are explained more later in this article.
If you’re just getting started on CMMC certification prep, or if you’re already burnt out on researching firms to help you with CMMC certification, we’ve got some tips to help you out. We don’t sugar coat this - CMMC is a huge deal and could start some major time-consuming and budget-squeezing projects. BUT it’s a process. You can’t do everything today, and you don’t need to!
If you haven’t already, start now. CMMC certification will be a long process, and you need this time to research, prepare and discuss. You don’t want to be scrambling or fumbling at the end.
So how do you ‘start now’? You’ll need to decide if you want to tackle the CMMC beast internally or with external help. Our company has been helping contractors with NIST 800-171 compliance for years, and now we help clients prep for CMMC. The CMMC-AB site has tons of registered practitioners to choose from. Our CISO Josh Ablett is a CMMC-AB Registered Practitioner, and coaches clients through the NIST and CMMC standard process.
Another reason to start now - instead of waiting until CMMC is more formalized or until you have a target audit date? Because CMMC is all about proof. While we haven’t seen anything official, the buzz around the CMMC watercooler is that auditors are going to be looking for you to have six months of evidence before an audit. They’re not planning to pass companies who just slap things in at the last minute and don’t have any history of evidence. So you need to start soon in order to have those processes and documentation in place.
Why start prepping for CMMC certification now? Because CMMC certification is a marathon, not a sprint.
Check out our list of the 21 most common CMMC technology projects.
This one might seem a little silly, but it deserves to be mentioned.
As you go through the NIST self-assessment (you know, that Interim Rule we mentioned earlier?), be honest. Even if that means your score is -150, when it could be 110. Yes it means you have work to do, but at least you’ll know the work that needs to be done! A dishonest sloppy or rushed self-assessment score isn’t putting you in a better position. If anything, it’s going to make your life harder in the near future!
Being honest also means targeting the correct maturity level. If your company handles any CUI, you will be assessed at CMMC Level 3.
The Five Levels of CMMC Certification:
We’ve been helping clients with NIST and CMMC projects since 2017, and the key to success is executive client engagement. CMMC is going to require a ton of changes, and having executive buy-in makes a world of difference.
Your company’s leaders don’t need to be involved in the day-to-day projects, but you will need their support to be successful in the CMMC certification process.