The United States Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) with the intent of establishing a measurable industry standard for cybersecurity. Developing a system to evaluate cybersecurity practices could help the DoD determine whether it should partner with an organization.
All organizations seeking a DoD contract must have a CMMC, which is one of the reasons it can be so lucrative to have. It also sets the bar for effective cybersecurity against today’s top threats.
WHY DID THE DOD IMPLEMENT CMMC?
Beginning in 2017, any organization holding a DoD contract was responsible for self-monitoring and assessment of cybersecurity. The government issued standards under NIST 800-171, but there were issues. For one, the regulations were sometimes convoluted or hard to apply, and for another, businesses could self-monitor, which led to many breaches.
In response, in 2019, the DoD conceived of CMMC, which was implemented in September 2020. While many of the practices and regulations are similar to those under NIST 800-171, the significant change is that companies are no longer solely responsible for evaluating and reporting on their cybersecurity practices. Now, a third party not affiliated with the government or the company evaluates and certifies an organization’s cybersecurity protocol against the CMMC standards.
CMMC’S FIVE TIERS
Of course, not all companies need to handle top-secret security clearance data, which is why there are five tiers in CMMC. Each indicates a different level of cybersecurity. Even the lowest tier represents a high level of security and competence when protecting from outside attacks. To obtain a particular tier of CMMC, you must meet the standards of all previous tiers in addition to the requirements of that tier.
Accordingly, DoD contracts will specify which level CMMC they require. The five tiers have also been used outside of DoD contracts to convey levels of preparedness against cybersecurity threats. In this way, the CMMC has been successful in establishing industry standards.
OBTAINING CYBERSECURITY MATURITY MODEL CERTIFICATION
There are several steps involved in obtaining CMMC. The first phase involves assessment and analysis. You can perform this assessment yourself, but it’s wiser to bring in a third party who can more clearly analyze your strengths and weaknesses. Once you do, you can definitively identify your scope. This includes what security level you may currently qualify for and where you want to go based on the services your organization provides and the clients with whom you work.
Now that you know your scope and where your gaps lie, you can remediate these and bring your company up to code to prepare for the CMMC assessment. In addition to implementing new practices, you also need to get organized for the assessment by identifying and communicating with key employees, developing a rough order of magnitude plan (ROM), and sketching a plan for the evaluation.
Once the third-party assessment is complete, your organization will receive post-assessment reports, as well as the assessor’s recommendations for CMMC certification. They may accept your requested level and grant certification or approve a lower level than requested, but organizations still have some remediation to do in many cases.
You’ll receive 90 days to take those steps, but your organization must start the assessment process again if you don’t follow the remediation conditions. If your organization passes its assessment, you’ll have CMMC for three years before you need to re-certify.
HOW CAN TAG SOLUTIONS HELP?
TAG Solutions offers complete cybersecurity services for any organization, including those seeking CMMC. Your Albany managed service provider will analyze and evaluate current practices, recommend changes, and oversee implementation.
TAG Solutions can also issue Cybersecurity Maturity Model Certification when your company is ready, which opens many doors for bidding on contracts and fully protecting your organization. As a managed service provider near you, we can help you with other things, as well, from a disaster recovery runbook to unified call solutions to business phones in Albany.