Working as a government contractor involves a lot of confidential government information. Whether it’s being stored or transmitted, safeguarding it is vital to cybersecurity. To promote better firewalls for contractors working with the US Department of Defense (DoD), the government has issued the Cybersecurity Maturity Model Certification (CMMC) program. As many businesses prepare to address the need for these certifications (enactment began September 2020), we wanted to offer an introduction to some necessary CMMC information.
What is CMMC Certification?
The CMMC confirms that government contractors working within the defense industrial base (DIB) — a grouping made up of some 300,000 businesses across the US — follow a standardized list of cybersecurity protocols and procedures. Before implementing the CMMC (documentation of which was released on January 31, 2020), the implementation of cybersecurity procedures was up to individual contractors to figure out. The way they handled IT systems and information storage/transmission was their responsibility, and the roadmap for these efforts was designed internally.
With the introduction of the CMMC, contractors are still responsible for implementation and security monitoring; however, they now have concise rules upheld by third-party reviews and the CMMC Accreditation Body (CMMC-AB). The CMMC provides mandatory compliance standards and practices to conform to the ever-evolving nature of data security.
CMMC Certification Levels
CMMC requirements are framed within five certification levels to show the status of a contractor’s security systems and their procedures for protecting government information. When a contractor achieves a specific certification level, they receive accreditation to be awarded certain contracts. The following is a brief outline of the five levels.
- Level One: The first level requires companies to have basic security measures in place (“basic cyber hygiene”), which includes antivirus software, Multi-factor authentication (MFA), or consistent password changes. These measures ensure the company is protecting Federal Contract Information (FCI), including any government information for a contract not intended for public release. (More details on FCI can be found here.)
- Level Two: Transitioning to Level Two certification requires “intermediate cyber hygiene,” meaning the company follows procedures to protect FCI and Controlled Unclassified Information (CUI) via NIST’s (National Institute of Standards and Technology) 800-171 Revision 2 standards. Any information the government requires to be safeguarded by companies is considered CUI. (More details of CUI can be found here.)
- Level Three: The third level is what the CMMC will deem as “good cyber hygiene,” meaning the company has been certified through Levels One and Two and is following all NIST 800-171 r2 security requirements and pursuing further security standards.
- Level Four: A company granted Level Four has not only implemented significant cyber hygiene protocols but is actively monitoring and reviewing the efficacy of its procedures. Additionally, they’ve provided sufficient processes to detect threats and adaptability to persistent cyber-attacks.
- Level Five: The final level encapsulates all the preceding levels and confirms that a company has an ideal security system, prominent security procedures to safeguard information, and has implemented enhancements to exceed the requirements of previous levels. In other words, they have checked all the boxes for protecting government information outlined by the CMMC.
Meeting the Standards of CMMC
Any company working with the DoD will eventually be required to follow CMMC guidelines, and meeting those requirements begins right now. Even if your organization isn’t in the DIB field, the need to build cybersecurity infrastructure is well on its way to your neck of the woods. If you’re working within the DIB and have been awarded contracts by the DoD, then we recommend the following tips to get you started on receiving CMMC accreditation.
Familiarize yourself with the CMMC
Although we’ve given the basics, the intricacies of CMMC accolades are not so simple. The CMMC Version 1.0 documentation is a thick 338-page document that outlines every aspect of the certification levels. When you begin your certification journey, it’s essential to familiarize yourself with the level you’re trying to attain. Of course, work with the resources and bandwidth you have to get Level One, and then make your way through the others as you’re able to. Your main priority should be getting your foot in the door and getting your Level One. Once you’re there, strategize on how to work toward Level Two and so on.
Pay Attention to CMMC Requirements in Contracts
The contracts you want will determine the tenacity of your CMMC efforts. As you work through certain RFIs and RFPs, pay close attention to the level of CMMC accreditation needed to be awarded that contract. Those making the offers ought to provide enough clarity regarding security and requirements.
If you aren’t able to bid on the contracts you want due to lack of CMMC clearance, work toward achieving those new-level certifications.
Adopt a Flexible Approach to Certification
As cybersecurity needs evolve, the demand for agility and flexible infrastructure grows with it. Cybersecurity, especially within the DIB, is an ever-changing movement toward protecting private information. It requires businesses to design security initiatives to be managed appropriately and adjusted rapidly. As you pursue CMMC certifications, keep in mind potential changes, which are sure to surface in the future.
Start Your CMMC Journey with GovCon365
One of the best ways to get started on the right foot with earning CMMC certifications is getting technology that helps you achieve each security level. With Microsoft Dynamics 365 for Government Contractors, you can ensure that the information you receive from the federal government will always be secure and readily available for an assessment. Not only does our solution help you pinpoint security pitfalls that could hinder certification, but we’ll also help your business with compliance around DCAA and DCMA regulations. With Microsoft Dynamics 365 from GovCon365, you can tie-down your cybersecurity needs.
If you have any questions or concerns, don’t hesitate to contact us via the comments below, or contact us here. We’re always happy to talk!