Claire Kenyon
May 30, 2021

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) consists of five levels of maturity that builds upon existing government regulations for cybersecurity across the Defense Industrial Base (DIB). CMMC is managed by the CMMC Accreditation Body and influenced by the Department of Defense (DoD) and the Defense Industrial Base Cybersecurity Assessment Center (DIBAC) and was created in response to the significant threat to sensitive information found throughout the defense supply chain.

Why is CMMC important?

CMMC was introduced to create a top-down enforcement framework within the DIB around CUI and FCI data classifications to further compliance directives set forth by NIST 800-171 and DFARS 252.204-7012. Each level of CMMC furthers security measures to prevent a data breach. This in turn offers assurances within the DIB that a contractor can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level proportionate with the risk.

How does CMMC work?

CMMC consists of 5 maturity levels that contain defined practices, and each practice contains objectives that must be met. An organization within the DIB must adhere to the practices and objectives set forth in CMMC. Non-compliance may be grounds for contract cancelations and more. It is incumbent upon the individual contractor to ensure their organization and its suppliers are certified to the appropriate level of CMMC. For example, FCI data may only require a CMMC maturity level one certification, but CUI data will require an organization to be certified at maturity level 3 or higher. Deviation from such requirements will likely result in lost contracts and otherwise be costly to an organization. 

The five levels being as follows:

  • Level 1: Performed Basic Cyber Hygiene – The ‘basic safeguarding’ of FCI
  • Level 2: Documented Intermediate Cyber Hygiene – Transition step (not yet able) to protect CUI
  • Level 3: Managed Good Cyber Hygiene – Lowest level of certification allowed to receive CUI.
  • Level 4: Reviewed Cyber Hygiene Practices – Adequate protection of CUI from Advanced Persistent Threats (APTs)
  • Level 5: Optimising Cyber Hygiene Practices – Sophisticated protection of CUI and reduced risk of APTs

To conduct business within the Defense Industrial Base, when CUI and FCI data is applicable, contractors and subcontractors will need to be certified under CMMC. In order to demonstrate compliance with CMMC a DIB contractor will need to adhere to and provide evidence of compliance with practices defined within CMMC to achieve certification at the appropriate level of maturity.

The practices of each level being as follows:

Total number of practices to achieve the highest level of CMMC – 171 practices

Businesses certified at levels 1 and 2 will be required to be recertified every three years. Level three certification will be required twice-yearly, and levels 4 – 5 will need to be certified every year.

Who needs to be CMMC certified?

Any contractor of the DoD or any organization creating, storing or transmitting Federal Contract Information/Controlled Unclassified Information will be required to obtain a certain level of CMMC. This includes all suppliers at all tiers within the supply chain. This includes all organizations regardless of size. If DIB contractors do not obtain a level of CMMC, contractors will be prohibited from participating in DoD contracts in the future. 

How do I get CMMC certified?

Contractors can begin preparation for CMMC now. A great initial step to take is undergoing a NIST 800-171 self-assessment or 3rd party audit. This is also a great way to identify next steps that need to be taken to apply current requirements for cybersecurity practices. 

A NIST 800-171 assessment will give your organization insight into what defiance’s need to be addressed. Once you have implemented NIST 800-171 controls you can conduct additional gap assessments with defined CMMC requirements based on the level of maturity you will be required to adhere to. ML 1 and ML 3 being the most common.

Once you are implementing all practices in accordance with the corresponding CMMC requirements it is recommended that you undergo a review by a CMMC RPO. Under guidance from your RPO you can then ready yourself for a certification audit with a CMMC C3PAO.

Certified CMMC C2PAO’s can be found through the CMMC Accreditation Body website.

How much does CMMC certification cost?

As CMMC is a new regulation that has not been fully implemented yet and the total costs businesses could face in obtaining certification is not yet known. CMMC has been championed by some to be a low cost to DIB organizations, but in practice it can be very expensive without the implementation of cost reducing measures.  Without compliance focused technologies this compliance initiative can be a costly burden. Compliance focused applications like SafeShare can greatly reduce the costs associated with CMMC. Additionally, using such efficient and cost-effective measures can help DIB organizations recover the costs of compliance from the DoD. 

What happens if I don’t get CMMC certification?

Like any other national regulation failure to comply will result in substantial penalties. Non-compliance can result in criminal and civil litigation, along with fines and other penalties such as, lost contracts, loss of federal funding, government hearings on the incident, and devastating damage to the reputations of organizations implicated. Furthermore, if there is a data breach and the contractor is found to be out-of-compliance, it can result in not only the termination of the current contract, but a complete bar of an organization to participate in future contracts with the DoD or its contractors.

How can SafeShare help achieve CMMC?

SafeShare provides your organization with technology that was built from the ground up for strict cybersecurity requirements. SafeShare’s turnkey solution to compliance and data governance has been tested and proven over the 14 years of service it has provided to Armed Forces and Defense Industries across the globe.

As a SafeShare administrator you have an overwatch position to the data in your care. Meaning you can create access control policies for other users to abide by, monitor the audit logs, create clearances and classifications and control data sharing with approved Whitelisted companies.

SafeShare has 37 practices mapped under CMMC maturity level 3, 2 and 1. Which equates to 29% of the entire maturity level 3.

Click here to read more on how SafeShare maps to CMMC.

Related Stories