TNP Blog

How to get started on the DoD’s CMMC certification?

Written by The Network Pro | Aug 30, 2021 4:40:51 PM

The defense industrial base or DIB has become a common target for cyberattacks that range in scope and complexity. With so many threats lurking behind the corners, the U.S. defense capabilities are in danger, which is a matter that has turned into a national security issue. These concerns have led to the creation of stricter security compliance standards that Department of Defense companies and subtractors must apply on a daily basis. With over 300 000 DoD companies interacting with the defense industrial base, the risks have only grown higher over the past few years. As a result, the CMMC was adopted as a framework that unifies cybersecurity standards that all contractors must comply with.

Understanding the CMMC Certification

CMMC stands for Cybersecurity Maturity Model Certification and it serves to ensure that companies and contractors are meeting certain levels of security standards required to do their work. The certification verifies that the contractors have done the mandatory cybersecurity controls and implemented specific measures to follow the security standards of the military. Before the adoption of CMMC, companies in this industry were not required to prove that they were following security procedures, which led to gaps and loopholes in security systems. However, with CMMC in place, these errors won’t happen again because security is being prioritized.

The CMMC serves to ensure that third party contractors are able to fight against cybersecurity attacks and prevent threats from evolving into more serious issues. It also serves to differentiate levels of compliance in alignment with different levels of security risk. Thus, the CMMC certification consists of several levels, including the following:

  • Level 1 - Basic Cyber Hygiene - includes 17 basic cybersecurity measures as an entry level to the certification.
  • Level 2 - Intermediate Cyber Hygiene - significantly progressive compared to level 1 with 55 additional cyber hygiene measures.
  • Level 3 - Good Cyber Hygiene - optimal security level with additional 58 security procedures from the NIST framework.
  • Level 4 - Proactive - fully enhanced cybersecurity network with additional 24 practices that could be considered advanced.
  • Level 5 - Advanced/Progressive - this is the fully advanced level that sums up all 171 practices required for the highest level of CMMC certification.

How to Get Certified

Now that the CMMC certification is becoming mandatory in the industrial base space, companies and contractors are required to obtain at least 1-3 levels of the certification. This shows how mature and reliable their security network is. While the basic levels of certification will be absolutely necessary for the third party to be able to get hired, companies and contractors with levels 4 and 5 of the CMMC certification will most likely be prioritized. Now, the question is, how do you start working toward the CMMC certification?

For starters, keep in mind that you cannot self-certify for the CMMC. Each company and contractor must be properly audited by a certified third party organization to ensure their security levels are up to the certification standards. The first step in the process is to identify which level of maturity you’re aiming for. This will allow you to create a comprehensive plan and list of procedures that must be implemented before the audit.

It is estimated that fully implementing the CMMC takes around five years, it is important to start as early as possible to be able to cross as many things off the list as possible. Depending on the current stage your security network is in, you might be required to revise and update your security policies, check for potential gaps in your system, scan all operating systems, and ensure they’re up to date. Most companies take roughly 6 months to achieve a certain level of certification, which gives you a better idea of how to structure your action plan.

Take the First Steps

Once you determine the CMMC level you’re aiming for, create a budget you’re able to dedicate to the compliance requirements. This will cover the costs of enhancing security as well as hiring a third-party assessor. Then move on to implementing the security measures one by one and regularly check for CMMC updates to make sure you’re following the latest developments. Once ready, call in an assessor to evaluate your security system. If all goes well, you will receive the CMMC certification of your desired level. In case there are gaps in your security, you will have up to 90 days to resolve the issues and repeat the audit.