CMMC Simplified: Best Practices for Preparing

June 10, 2021

By Jason Connotillo

Protecting information from cybercriminals and unintended loss is a priority for every enterprise, especially the U.S. government. To further limit the impact that cybersecurity events can have on national security and the economy, the U.S. Department of Defense (“DoD”) recently modernized its cybersecurity requirements by commissioning the Cybersecurity Maturity Model Certification (“CMMC”).

But what is CMMC, and who does it affect? If you're a participant in the DoD's supply chain or plan to manufacture either components or finished products for the DoD, this article will break down the basics of what the CMMC is and how best to prepare for compliance.

What Is CMMC?

The CMMC is a new security standard set by the DoD to ensure participants operating within the DoD supply chain, known collectively as the Defense Industrial Base (“DIB”) sector, protect controlled unclassified information (“CUI”) received while doing either direct or indirect business with the DoD. Learn more about CUI and the CUI Registry at the Federal Government’s Nation Archives.

With more than 300,000 direct and sub-contracting participants currently working within the DIB, there are many opportunities for risk events to affect national security. The CMMC encourages, and over time will require, uniform cybersecurity protection throughout the DIB. From 2021 to 2025, the DIB must implement at least one cybersecurity maturity level of the CMMC’s requirements, save for participants that produce only commercial off-the-shelf products.

What Does CMMC Entail?

The DoD will assign DIB participants one of five maturity levels for required CMMC compliance, upon which the participant must become certified at that level via audit by an authorized CMMC assessor. The level assigned is determined by the type and nature of information flowed down from the participant’s prime contractor. CMMC requirements will be revealed to participants in requests for information and requests for proposals beginning in 2021. The five maturity levels and their controls are:

  1. Basic Cyber Hygiene (17 basic controls)
  2. Intermediate Cyber Hygiene (+55 intermediate controls)
  3. Good Cyber Hygiene (+58 good controls)
  4. Proactive Cyber Security (+26 proactive controls)
  5. Advanced/Progressive Cybersecurity (+15 advanced controls)

To achieve a specific maturity level, the participant must also complete all proceeding maturity levels. For example, if a participant needs to complete level 4 maturity, it must also complete levels 1 through 3. The controls are also cumulative, so the 171 controls for maturity level 5 include all of the controls from the preceding levels.

Getting Started

If you are new to participating in the DoD supply chain, get a jump start on the CMMC program requirements. Follow the steps below to prepare for working as an approved supplier to help ease transitioning to CMMC when required and undergo the required audit.

  1. Estimate your maturity level by assessing your data footprint and whether you will likely obtain federal contract information and CUI.
  2. Take a National Institute of Standards and Technology (“NIST”) 800-171 self-assessment. NIST is the prior standard and correlates roughly to CMMC maturity level 3. Obtain the assessment by signing up on the DoD’s Supplier Performance Risk System (“SPRS”).
  3. Create a Security System Plan (“SSP”) and a Plan of Actions and Milestones (“POA&M”) that document the state of your current network and how you plan to achieve 100% compliance.
  4. Submit your assessment, scoring, SSP, and POA&M to the SPRS.

If you already do business with the DoD, you are likely familiar with the current cybersecurity requirements under NIST. Regardless, we highly suggest having an independent third-party or using a CMMC consultant to ensure this process is completed correctly and efficiently.

Next Steps

CMMC helps the DoD standardize security from top to bottom in its supply chain and ensures confidential information remains that way. While it's not there yet, CMMC certification is certain to become the absolute requirement for obtaining and keeping DoD contracts. Do not wait to get started. The DoD has a CMMC frequently asked questions page where you can find more specific information about the process and how it will affect enterprises.

About Jason Connotillo

Jason Connotillo is a Director within EisnerAmper Digital and leads financial, operations and information technology improvement programs.