If you’re reading this insight, then you are probably familiar with the new Cybersecurity Maturity Model Certification (CMMC). In short, CMMC is the Department of Defense’s (DoD) newest method to ensure appropriate levels of cybersecurity practices and processes are in place for industry partners and their supply networks.
Here’s a common predicament we see all the time:
Here are some key distinctions about CMMC that will be important to you:
- Starting in January 2021, any company or individual that conducts business with the DoD must apply for CMMC certification.
- CMMC certifications will be valid for three years.
- CMMC will measure a company’s cybersecurity processes and practices across five maturity levels, with only the companies who have the most robust cybersecurity practices reaching level five.
- Prior to any contract being awarded from the DoD, a company will need to be certified up to the required CMMC level.
- CMMC will require a higher level of controls than other previous cybersecurity frameworks.
- CMMC will require a third-party audit.
Though acquiring a CMMC will be necessary, most small to mid-sized businesses will have gaps in their cybersecurity, and are not yet ready to apply for their CMMC.
CMMC is based on older cybersecurity frameworks like the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), or International Organization for Standardization/International Electrotechnical Commission framework (ISO/IEC 27001), so if you’ve been actively working toward compliance with these older cybersecurity frameworks, you’re actually a step ahead. These frameworks will help you identify the gaps in your cybersecurity that you will need to fill in order to receive a CMMC certification.
Ultimately, though, attempting to get certified in CMMC before you fill all of your cybersecurity gaps will be a waste of time and money. We recommend that you first invest in identifying and closing those cybersecurity gaps so you can pass the certification on the first try with flying colors.
Becoming a CMMC business will not happen overnight but, it’s best to get started now so you can be certified in time for any upcoming DoD contracts.
Here are four steps you should follow to get ready for applying for your CMMC:
- Perform a basic cybersecurity audit and remediation for your environment. Identify the major gaps in your cybersecurity and get those fixed.
- Develop a roadmap to CMMC. This is a more thorough audit and can take 30 – 60 days.
- Execute the roadmap. This can take between 30-180 days depending on how many gaps exist and your budget to solve the problems.
- Acquire CMMC certification through an accreditation body here.
Depending on your business’ current level of cybersecurity sophistication and the level of CMMC certification you are aiming for, it can easily take up to 6 to 12 months just to get ready for the CMMC certification process, so the longer you wait around to get started, the more late you’ll be to the game.
The stakes are clear.
You must be CMMC certified to be allowed to bid on and provide support for future DoD contracts.
If you are not certified, you are totally exempted from the DoD marketplace.
Don’t wait, today is the day to get started. Talk to a Lazorpoint expert about how we can help you become CMMC certified.