CMMC Audit Preparation & Assessment
Win DoD contracts and grow revenue
Let's start at the beginning
On January 31, 2020, the Department of Defense (DoD) launched the cybersecurity certification and compliance process called the Cybersecurity Maturity Model Certification (CMMC). The goal, to ensure the capabilities, readiness, and sophistication in the area of cybersecurity of the DoD’s 300,000+ contractors and subcontractors.
By 2026, all DoD contractors & subcontractors must be CMMC compliant
How CMMC adoption impacts contractors doing business with the DoD
- All Large Contractor & SMB Suppliers must obtain their certification from an independent C3PAO.
- The DoD contracting officer will determine the appropriate CMMC level for the contracts they award and manage.
- The cost of preparing for a CMMC audit and being certified as an “allowable expense” will be included in government contracts.
- Contractor & Suppliers must hold the appropriate certification level at the time of contract award.
What businesses need to be CMMC certified?
All businesses who contract or subcontract, as well as third-party providers, that work with DoD contracts are required to achieve CMMC certification.
CMMC Readiness helping large contractors & their SMB suppliers prepare
CMMC Certification & Audits
To verify that DoD Contractors have met the appropriate level of cybersecurity controls, the DoD will deploy certified third-party assessor organizations (C3PAO’s) to conduct audits on DoD Contractor information systems. It is from this audit that a DoD contractor will be awarded a certification Level of 1-5, if they comply with 100% of the controls for a given level.
Important Dates & Milestones
- January 2020: Release of first full version of CMMC
- June 2020: CMMC requirements included in the request for information (RFI) process
- September 2020: CMMC requirements included in the request for proposal (RFP) process
- October 2020: Certification required for bids on new work
The rollout will continue over a five-year period, with the expectation that all new DoD contracts will include CMMC requirements by fall 2026.
Two ways to prepare
The challenge is that most SMB contractors and suppliers lack the expertise, bandwidth, and financial resources to maintain security & compliance for the long haul.
CMMC RPO Consultant
DoD contractors can partner with a third-party CMMC Registered Provider Organization (RPO) consultant that specializes in CMMC compliance. This will save time, money, and a whole lot of heartache.
Experts can monitor your environment, respond to threats, complete required remediation processes, & maintain compliance for ongoing audits.
Not sure which way you should go? Download the CMMC Readiness Gauge to understand if you are DIY ready or need a little help from a CMMC Consultant.
Based on the results of the Readiness Assessment, a CMMC Consultant should create a remediation strategy. A remediation plan may include simple, low-cost repairs to a network and/or its processes, or it could include more thorough creation of compliant networks and procedures from the ground up to meet today’s cybersecurity requirements.
Processes that do not meet today’s requirements are comprehensively documented remediation plans. DoD Contractors will find it simpler to implement required system modifications if they have a well-researched strategy.
Which level does my business need to achieve?
According to DoD statistics, the majority of the Defense Industrial Base (DIB) will be made up of contractors and subcontractors who must satisfy basic cyber hygiene, or CMMC Level 1 – about 70%.
CMMC Level 3 is the third of five certification levels available to military contractors. These rules specifically apply to military contractors that produce or access Controlled Unclassified Information (CUI.)
This is a significant barrier both financially and bandwidth-wise, for companies seeking to become DoD contractors, because CMMC accreditation does not ensure contract success.
Post Compliance Monitoring and Reporting
Partnering with your CMMC Consultant/MSSP for ongoing monitoring is a smart move. They have the tools and processes in place to monitor, identify, and report on cybersecurity breaches inside a DoD contractor’s systems after the remediation plan is complete and the contractor’s systems and procedures are compliant with the relevant CMMC Level. Remember, CMMC audits are completed every three years.
Hungry for more CMMC education
Explore our Resource Center and enrich your mind