CMMC Compliance in Washington DC
CMMC Compliance
Meeting the
High Standards
Are your RFPs asking for assurance about your IT systems? Are they referencing Cybersecurity Framework? NIST 800-53 or NIST 800-171? Are you anticipating a need to get ready for DoD contract responses and CMMC?
The DoD released the current CMMC version 1.02 in March 2020. And DoD says they are still on schedule to include CMMC in a select number of Requests for Information (RFIs) in June 2020.
BEI’s Cybersecurity Maturity Model Certification—or CMMC–compliance team is made up of experienced partners who understand both regulatory requirements and business needs. We are monitoring the evolving requirements and assembling our team!
How are CMMC and NIST 800-171 Different?
- They really are not. If you have self-assessed and are in line with NIST 800-171, then you are going to have to make very few changes to get a CMMC Level 3 certification. CMMC as a whole will include 20 additional controls from some of the ISO frameworks and FedRAMP
- NIST 800-171 depended on self-certification, but CMMC requires a 3rd party audit for certification. These will be known as C3PAOs.
CMMC Overview
CMMC is a certification that will be required for every firm that does business with the DoD. Levels of certification range from 1-5, with 5 being the most sophisticated or advanced.
CMMC Level 1
Basic Cybersecurity
Practices are ad hoc and only some need to be documented
CMMC Level 2
Universally accepted cybersecurity best practices
Practices are documented
CMMC Level 3
Coverage of all NIST SP 800-171 rev 1 controls
Processes are guided by policy, maintained and followed
CMMC Level 4
Advanced and sophisticated cybersecurity practices
Practices are periodically evaluated and revised
CMMC Level 5
Highly advanced cybersecurity practices
Practices are continuously improved and shared across the enterprise
It is expected that other federal agencies will follow the lead of the DoD, so any organization that does business with the federal government should start this planning process. The standards recommended by CMMC are also just good business practice!
May 2019
Version 0.1
Mid 2019
Initial announcement and community meetings, industry feedback
July 2019
Version 0.2
September 2019
Version 0.4
November 2019
Version 0.6, discussion & clarification for Level 1
December 2019
Version 0.7, discussion & clarification for Levels 2&3
January 2020
Announcement of non-profit to certify third party auditors called the Accreditation Body or CMMC AB
End of January 2020
Version 1.0 released
June 2020
CMMC requirements appear in RFI’s
September 2020
CMMC requirements appear in RFP’s
Future
CMMC levels mandatory in all DoD RFPs
CMMC Compliance in Washington DC
So what
should you
be doing now?
Familiarize yourself with CMMC. Version 1.02 is available now and DoD has provided great appendices and presentations to help guide GovCons.
Review your systems that hold Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) against the Domains, Capabilities and Practices defined in the available version of CMMC. Begin to think about addressing gaps – basically perform a pre-audit. We can help!
“We really rely on BEI to provide all the expertise, knowledge and technical resources – Solutions by Design!”
–Government Contractor