CMMC Compliance for Defense Industrial Base (DIB) Contractors: An Accelerated Certification Guide
Although CMMC is not a current requirement, all DIB contractors will eventually be required to obtain a CMMC certification by 2025. Since the first solicitations requiring a CMMC maturity level are appearing in 2020, there are advantages to starting the certification process as soon as possible. Within the next month, the DOD is expected to produce 10 “pathfinder” contracts. Each one is expected to affect some 150 contractors and subcontractors, and it will grow from there. To help Defense contractors at all stages of the certification, we’ve developed this resource page.
Below, you’ll find high-level introductory details about CMMC, what you’ll need to do to be compliant, the benefits of becoming compliant now, and how to officially get started.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) was created by the DoD in response to the ever-evolving threat landscape.
It is a verification mechanism designed to ensure adequate cybersecurity protection of Controlled Unclassified Information (CUI) residing on Defense Industrial Base (DIB) systems and networks. Combining elements from NIST and other cybersecurity control standards, CMMC will eventually become the singular standard for CUI cybersecurity.
Once CMMC is fully live, prime contractors (and their subcontractors) will need to meet a CMMC trust level (1-5) as determined by independent validation audits. Certifications are good for three years; without CMMC compliance, DIB contractors will not be eligible for initial awards or continuations of defense contracts.
How Does CMMC Differ From Prior Standards like NIST 800-171? What are the Implications?
CMMC grew out of a lack of compliance with NIST 800-171 across the DIB. The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with response to cybersecurity measures.
The CMMC standard was designed to be an enforceable, monitored, proactive approach to instilling a culture of cyber-security across the DOD supply chain. It differs in a few key areas:
What Should Defense Contractors Do Now?
We are still in the early phases of CMMC rollout, but DIB contractors need to be proactively learning about the technical requirements and getting ready for certification as well as continued compliance.
Contractors should also keep the following dates in mind:
- June 2020: CMMC to begin appearing in RFIs
- September 2020: CMMC to begin appearing in RFPs
Get Compliant in Under 30 Days
Ready to start your compliance process? Acting early positions you to meet DoD needs now and opens the door for early opportunities. See how TekStream has partnered with Splunk to bring you a prescriptive solution and implementation consultancy.
The 5 CMMC Trust Levels
The level of certification necessary will depend on where you fall in the supply chain. There will be several dozen or more subcontractors working in concert to provide the necessary materials, time, and technologies to support the prime contractor.
The prime contractors and the government sponsor are responsible for the entire supply chain for CMMC levels.
The levels are described as follows:
The Benefits of Early Action and Where to Start
The first and most obvious benefit of going through the compliance process now is that this is going to be required in the next few years.
Acting early puts you ahead of the curve, prepares you to meet DoD needs now, and opens an opportunity for the pathfinder contracts (if applicable).
So, where should contractors start?
There are a number of consultants offering compliance assessments and reviews, but the quickest and most effective way to kick off your CMMC effort will be a tandem partnership with a prescriptive solution and implementation consultancy.
TekStream and Splunk have partnered to bring you the exact solution and expertise you need to make getting and, as importantly, staying compliant as seamless as possible and a smooth process for years to come.
Using Splunk, TekStream's team can you bring you from 0 to compliant in as little as 30 days.
No one needs another lengthy compliance assessment, and although an analysis of gaps and existing procedural controls is critical, it need not be the first step. Gaps can be identified in the process of implementing an automated CMMC monitoring solution. Essentially, the process starts with gathering all of the available information across your enterprise and implementing automated practice compliance. Gaps are naturally discovered in the process of implementing a solution.
The automated practice controls can be leveraged in the context of SOPs that are repurposed into applicable SSPs, POAMs, and business plans. The exact nature of the process will depend on your specific needs, but in general, the following will occur:
By partnering with TekStream and Splunk, you’ll be getting:
- Installation and configuration of Splunk, CMMC App, and Premium Apps in mere weeks.
- Pre/Post CMMC Assessment consulting work to ensure you are meeting or exceeding CMMC level requirements.
- Optional MSP/MSSP/compliance monitoring services to take away the burden of data management, security, and compliance monitoring.
Once you’ve gone through the CMMC compliance process with TekStream, compliance and auditing is ongoing and monitored on an automated basis for each practice and summarized in a centralized auditing dashboard.
It significantly reduces risk of non-compliance and the cost and effort associated with attestation every 3 years.
If you’re already using Splunk, this opportunity should be a no brainer.
If you are new to Splunk, what better way to procure a best-in-class security, compliance, and operational intelligence platform?