What You Need To Know & How To Get Certified 

Long-awaited cybersecurity regulations from the U.S. Department of Defense (DoD) are finally here in the form of CMMC Model v1.0. And if you’re a contractor who does any business with the DoD or elsewhere in the federal sector, you’re going to need to be certified to continue.

Luckily for you, GoldSky Cyber Security is here to get companies and contractors ready for CMMC. In this post, we’re going to cover what exactly the CMMC is, the gaps in security it addresses, and how GoldSky can help companies get certified.

What is CMMC?

CMMC is the just-released Cybersecurity Maturity Model Certification from the Department of Defense. The goal of CMMC is to review various cyber security standards and combine them to reduce risk against cyber threats. 

These standards include the National Institute of Standards and Technology (NIST)’s guidance on protecting controlled unclassified information (CUI) in non-federal systems (NIST 800-171) and on security and privacy controls for federal information systems. The controls and processes will range across several maturity levels, ranging from basic to advanced. 

Here are the levels and the requirements a DoD contractor will need to implement in order to pass an audit:

• Level 1 – Basic Cyber Hygiene – 17 controls of NIST 800-171 rev1.
• Level 2 – Intermediate Cyber Hygiene – the 17 controls of NIST 800-171 rev1 required for Level 1, plus 48 additional NIST 800-171 rev1 controls, and 7 additional controls.
• Level 3 – Good Cyber Hygiene – all of the above requirements, plus the final 45 controls of NIST 800-171 rev1, and 14 new “Other” controls.
• Level 4 – Proactive – 13 controls of NIST 800-171 RevB, plus 13 new “Other” controls
• Level 5 – Advanced/Progressive – the final 5 controls in NIST 800-171 RevB, plus 11 new  “Other” controls

It’s not surprising to say that the federal government has a huge demand for cyber security. However, not all branches of the federal government are created equal. The Department of Indian Affairs likely doesn’t have the same concerns as, say, the Department of Defense. As you might imagine — things like nuclear weapons have highly sensitive data.

Therefore, the level of sensitivity determines the level of cyber security that a company must have in place. The CMMC requires that any company that does business with the DoD, including primes and subcontractors, must have at least a basic level of cyber security standards. 

Companies also need to get the ball rolling as soon as possible to meet these new CMMC requirements. 

According to Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord, all new DoD contracts will contain CMMC requirements by fiscal year 2026. This year, the DoD plans to release 10 requests for information and 10 RFPs that will require CMMC certification for a contract to be rewarded. This five-year timeline before the CMMC will be mandatory in all contracts recognizes the complicated rollout, but since the process of achieving certification will take some time, companies can’t afford to wait. 

Another concern beyond the timeline, especially for small subcontractors, is cost. However, the CMMC is intended to be cost-effective and affordable for small businesses/contractors to implement at the lower levels. 

Who Does CMMC Apply To?

If you work with the DoD or elsewhere in the federal sector, you need to be CMMC certified.

In the federal space, there are a lot of big contractors (Lockheed Martin, for example), that have their arms around security. These large contractors get audited all the time and have the required cyber security controls in place.

However, these large prime contractors must outsource a portion of the work to small-to-midsize businesses. The gaps in cyber security controls lies with these smaller subcontractors, as many of these companies do not have the proper cyber security in place. The CMMC is specifically targeted toward these small subcontractors.

Why Did the Department of Defense Create CMMC?

The CMMC is the latest effort from the DoD to address cyber security concerns. 

In 2015, the DoD published the Defense Acquisition Federal Regulation Supplement (DFARS) to mandate that private DoD contractors adopt cyber security standards according to the NIST SP 800-171 cyber security framework. DFARS was written specifically for small subcontractors to ensure that they have security controls in place. The primary concern, specifically within the U.S. defense supply chain, was the threat of foreign and domestic cyber attacks. 

But instead of making DFARS an absolute requirement, the DoD made DFARS compliance a competitive advantage to landing contracts. Since its release, many companies have attempted to understand and implement DFARS according to the NIST SP 800-171 standards. Some have hired 3rd-party managed service providers like GoldSky for help. 

But the problem is that too many subcontractors have chosen not to. Many have never been audited. Until now, all a subcontractor needed to do to land contracts is self-attest and say they have cyber security in place even if they don’t.

Simply put: many subcontractors are lying, saying they have controls in place and winning jobs against competition that is following the rules. There are reported cases of subcontractors making false claims to land DoD contracts, only to later be found to be non-compliant. 

Because of this deception and slow adoption rate of DFARS, the DoD created and released the CMMC to ensure that the appropriate levels of cyber security controls are in place. CMMC certification will be mandatory for all subcontractors and will protect the sensitive information that subcontractors have access to within the DoD. 

Once a company achieves a CMMC certification, it can then bid on contracts across the DoD and military services. CMMC certification will be good for three years. 

Achieving certification may prove to be a challenge for some companies, but thankfully, help is available.

How Subcontractors Can Prepare for a CMMC Audit

CMMC audits will be coming, and subcontractors will need to be ready if they want to continue doing business with the DoD. 

First, subcontractors need to determine which level of the CMMC they must meet to continue business with the DoD. The level required will depend on the sensitivity of the information the contractor has access to. 

The CMMC levels call for different controls outlined in  NIST SP 800-171 Rev. 1 and NIST SP 800-171 Rev. B. Contractors that have already implemented NIST SP 800-171 controls should therefore have an easier time passing a CMMC audit, but those who have not will likely require more assistance. 

For others, the best (and likely only) way to meet the new CMMC cyber security requirements will be to outsource the task to a CMMC Third Party Assessment Organization (C3PAO). This means seeking the help of a cyber security company like GoldSky. 

We must note that GoldSky is NOT an auditor, but will help get companies ready for the CMMC audit. 

To get companies ready for the CMMC, GoldSky will first conduct a gap control assessment to see if these companies do indeed have the required controls in place. The gap analysis helps companies identify potential vulnerabilities within its procedures, data storage, and network. If gaps are found, GoldSky will help put the controls in place to help subcontractors achieve their desired level of certification. 

GoldSky can help companies put a cyber security plan in place according to the NIST SP 800-171 framework and the CMMC. GoldSky will also be there to monitor and respond to any security incidents. 

GoldSky Cyber Security Solutions has offices in Denver, Orlando, Nashville, Washington D.C & Tampa.  GoldSky offers reliable 24/7/365 security solutions to federal contractors throughout the entire U.S. Get in touch to learn more on how GoldSky can help your company achieve CMMC certification today.