Blog

The formal rulemaking process that will make Cybersecurity Maturity Model Certification (CMMC) a contractual reality is in full swing. Of the 220,000+ Defense Industrial Base (DIB) members, at least 80,000 will have to acquire CMMC Maturity Level 2 accreditation. All DoD (Department of Defense) contractors — prime contractors, subcontractors, and every link in the DoD supply chain — will be required to comply with CMMC practices soon. Getting there takes time. 

How will the official arrival of the Cybersecurity Maturity Model Certification impact DIB companies? 

Let’s be honest. For the past few years, we’ve all heard a lot of noise about the Cybersecurity Maturity Model Certification (CMMC). We’ve endured delays and changes to the CMMC framework. With all the uncertainty surrounding CMMC, who can blame companies in the Defense Industrial Base (DIB) for not acting, but instead sitting on the sidelines and waiting to see what happens? Put compliance aside for a moment. It’s simply good business sense to know about evolving cybersecurity requirements and practice good cybersecurity hygiene by continuously safeguarding sensitive information and intellectual property.  

We are getting more clarity about CMMC – what the framework will look like and when it likely will become a contractual reality. The time has arrived for members of the DIB to act quickly and prepare in advance of the Final Rule that will formally launch CMMC. CMMC is not going away, and will be here before you know it.  

While the precise date when CMMC 2.0 will begin appearing in Department of Defense (DoD) solicitations remains fluid, it’s important to get ready well ahead of time. Accreditation requires months of preparation and continuous execution. You don’t want to miss out on DoD contracts because you failed to comply – and your competitors did.  

In the coming months, the Government will complete the rulemaking process, after which there will be a period for public comment to finalize the rule. Once final, CMMC will become official – empowering the DoD to include requirements for all companies (and their subcontractors) bidding to possess CMMC accreditation at one of three maturity levels.  

How does the CMMC framework define its three maturity levels of accreditation?  

The DoD estimates that of the more than 220,000 members of the DIB, at least 80,000 will have to acquire CMMC Maturity Level 2 (ML2) accreditation. If your company stores or handles controlled unclassified information (CUI), you’ll be one of them. You’ll have to implement and demonstrate ongoing compliance with the 110 cybersecurity practices designed to protect federal contract information (FCI) and CUI. In some cases, you may be able to self-attest your status and receive accreditation. However, you most likely will need to pass an assessment conducted by an approved CMMC Third-Party Assessment Organization (C3PAO) to get it. 

CMMC 2.0 consists of three maturity levels — which one you’ll need will be a function of the level the DoD assigns to a contract solicitation and your role on that contract:  

• Maturity Level 1 (ML1) targets the protection of FCI and consists of 17 practices.  
• Maturity Level 2 (ML2) expands the focus to include CUI, which represents sensitive (but unclassified) information that would cause harm to U.S. national security should it fall into the wrong hands. A total of 110 practices aligned with controls defined in NIST (National Institute of Standards and Technology) Special Publication 800-171 (including the 17 of ML1) comprise ML2. 
• Maturity Level 3 (ML3) accounts for less common circumstances defined by CUI and programs with especially high value and incorporates additional practices.   

How long does CMMC certification take? 

Regardless of the maturity level of accreditation you seek, preparation takes time – way more than you think – because there’s so much to do. The list below for ML2 is just the tip of the iceberg. Conduct a self-assessment against the 110 practices.  

• Calculate your compliance score following DoD guidelines and upload it to the Supplier Performance Risk System (SPRS).  
• Develop a System Security Plan (SSP).  
• Create a Plan of Actions and Milestones (POA&M) to achieve a perfect compliance score by addressing the practices with which you are not fully compliant within 180 days.  

Prepare with speed and confidence using tools in Exostar’s CMMC Ready Suite. Take advantage of free trials of Exostar’s Certification Assistant and Policy Pro today. 

The self-assessment is easy, right? 

It’s vital to execute the self-assessment with a strict, critical approach. Even if a C3PAO doesn’t evaluate you, self-attestation must be accompanied by an executive’s signed affirmation of accuracy, with companies and individuals subject to prosecution under the False Claims Act for erroneous submissions.   

The fact is, despite what they might think, most DIB companies are nowhere close to a perfect SPRS score. Many need more expertise to understand the extent and complexities of the 110 practices and/or the resources to do the self-assessment properly and efficiently, much less effectively implement the remediation necessary to gain and maintain compliance.  

What to do next along the CMMC journey? 

Traversing the accreditation journey is bumpy and time–consuming. Remember, CMMC requirements will show up in solicitations in the coming months. If you do the math, you’ll understand why you simply can’t put it off any longer – embark on the journey now to be ready. The cybersecurity experts at Exostar are here to help you get through all steps of the process and provide solutions for completing them accurately and efficiently. For instant insights from our team, check out this on-demand webinar about the Roadmap to CMMC Readiness. 

Why start preparing for CMMC now?

On your own, preparing for CMMC can be time-consuming and challenging. Exostar’s CMMC Ready Suite helps you close the gap on all 110 practices in CMMC 2.0 ML2. You’ll be able to meet compliance requirements promptly and efficiently, leading to increased operational efficiency, reduced risk of security breaches, enhanced reputation, and improved competitiveness in the DIB sector.  

To help you navigate the CMMC journey and provide solutions for completing each step of the process, check out the Roadmap to CMMC 2.0, an infographic guide to understanding the requirements and the path to compliance. 

We invite you to discuss directly with a CMMC solution expert.