Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

CMMC Certification: Don't Miss These 3 Helpful Tips

May 27, 2021,

CMMC certification is top of mind for any US government contractor. If that’s you, welcome! This article is going to dive into some helpful tips for new and seasoned contractors on their journey towards CMMC certification.

The United States Department of Defense (DoD) is launching the Cybersecurity Maturity Model Certification (CMMC) program to standardize cybersecurity procedures for US government contractors. Previously, contractors could self-assess their certification with NIST-800-171, but that will not be the case in the future. Contractors will need to be assessed by a third-party auditor and receive a certification maturity level. 

Are you already saying ‘I’m confused - what is CMMC, NIST, etc?’ Let’s break it down a little more:

  • 2017: Government contractors were supposed to comply with NIST 800-171, which contained 100+ specific actions to prevent cyberattacks and protect confidential government data (usually referred to as Controlled Unclassified Information, or CUI). Contractors could choose the ‘self-assessment’ option and there was no one checking their work.
  • 2017-2020: too many firms didn’t actually comply with NIST-800-171, so they started formulating CMMC, which would require contractors to be audited by a third-party.
  • 2020: CMMC announced the Interim Rule, and as of November 2020, contractors are required to submit a self-assessment based on NIST-800-171. 
  • 2021-2025: phased roll-out of CMMC

So if you’re a US government contractor and you want to continue being a government contractor, you need to care about CMMC certification.3

What is the difference between CMMC and NIST-800-171?

CMMC and NIST 800-171 are very similar. In fact, in November 2020, the US Department of Defense (DoD) came out with the Interim Rule, which requires companies to perform a NIST 800-171 assessment, fill out some documentation and upload a score to the DoD’s SPRS system. 

A key difference between CMMC certification and NIST 800-171 certification is the varying maturity levels. CMMC has five levels of maturity, while NIST 800-171 is one list of security requirements. These five maturity levels of CMMC certification are explained more later in this article.

CMMC Certification Tips

3 Helpful CMMC Certification Tips

If you’re just getting started on CMMC certification prep, or if you’re already burnt out on researching firms to help you with CMMC certification, we’ve got some tips to help you out. We don’t sugar coat this - CMMC is a huge deal and could start some major time-consuming and budget-squeezing projects. BUT it’s a process. You can’t do everything today, and you don’t need to! 

#1 CMMC Certification Tip: Start Now!

If you haven’t already, start now. CMMC certification will be a long process, and you need this time to research, prepare and discuss. You don’t want to be scrambling or fumbling at the end.

So how do you ‘start now’? You’ll need to decide if you want to tackle the CMMC beast internally or with external help. Our company has been helping contractors with NIST 800-171 compliance for years, and now we help clients prep for CMMC. The CMMC-AB site has tons of registered practitioners to choose from. Our CISO Josh Ablett is a CMMC-AB Registered Practitioner, and coaches clients through the NIST and CMMC standard process

Another reason to start now - instead of waiting until CMMC is more formalized or until you have a target audit date? Because CMMC is all about proof. While we haven’t seen anything official, the buzz around the CMMC watercooler is that auditors are going to be looking for you to have six months of evidence before an audit. They’re not planning to pass companies who just slap things in at the last minute and don’t have any history of evidence. So you need to start soon in order to have those processes and documentation in place. 

Why start prepping for CMMC certification now? Because CMMC certification is a marathon, not a sprint. 

Check out our list of the 21 most common CMMC technology projects.

#2 CMMC Certification Tip: Be Honest

This one might seem a little silly, but it deserves to be mentioned. 

As you go through the NIST self-assessment (you know, that Interim Rule we mentioned earlier?), be honest. Even if that means your score is -150, when it could be 110. Yes it means you have work to do, but at least you’ll know the work that needs to be done! A dishonest sloppy or rushed self-assessment score isn’t putting you in a better position. If anything, it’s going to make your life harder in the near future!

Being honest also means targeting the correct maturity level. If your company handles any CUI, you will be assessed at CMMC Level 3. 

The Five Levels of CMMC Certification:

  • Level 1 - Performed Processes, Basic Practices - Focus on safeguarding Federal Contract Information (FCI)
  • Level 2 - Documented Processes, Intermediate Practices - A transition step in cybersecurity maturity
  • Level 3 - Managed Processes, Good Practices - Focus on protecting CUI
  • Level 4 - Reviewed Processes, Proactive Practices - Focus on protecting CUI and reducing risk of threats
  • Level 5 - Optimized Processes, Advanced Practices - Focus on protecting CUI and reducing risk of threats

#3 CMMC Certification Tip: Get Leadership Support

We’ve been helping clients with NIST and CMMC projects since 2017, and the key to success is executive client engagement. CMMC is going to require a ton of changes, and having executive buy-in makes a world of difference. 

Your company’s leaders don’t need to be involved in the day-to-day projects, but you will need their support to be successful in the CMMC certification process. 

CMMC is a marathon

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2024 Adelia Associates, LLC | All Rights Reserved