Everything you need to know about CMMC

Pete Hoff
  • 7 min read

On Thursday, August 19, Wursta hosted an information session about the Cybersecurity Maturity Model Certification (CMMC). Here is everything we discussed.

What is CMMC and why do defense contractors need it?

CMMC is a new cybersecurity framework and accompanying certification required by the United States Department of Defense (DoD). Essentially, it is the new umbrella standard, including requirements from the Federal Defense Acquisition Requirements (DFARS) and from the National Institute of Standards and Technology (NIST). Starting in 2021, contracts offered by the DoD may specify a level of the CMMC to be awarded by the time the contract is signed. In the future, all contracts will require CMMC certification by the year 2026.

During our discussion, we heard about half of our attendees say they have seen requests for CMMC on their new contract submissions, so some projects are already requiring it for contractors. There are around 300,000 contractors servicing the DoD today. Getting ahead of the game and becoming certified early will help you stay competitive. You can watch the on-demand version of our information from the March 11, 2021 session below.

All companies or subcontractors that bid on DoD contractors that contain Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will be required to be CMMC compliant at the CMMC level mandated in the contract with one exception. If you’re selling commercial off-the-shelf products, you will not be required to prove CMMC compliance. It’s also important to note that because of the Christian Doctrine, signing a federal contract signifies the contractor meets DFAR based contract requirements (15 controls) even if this language is struck from the contract.

The types of information that need protecting are the following:

  • Federal Contract Information (FCI) – not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
  • Controlled Unclassified Information (CUI) – requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

The DoD is up-leveling security requirements to prevent past attacks from happening again

CMMC is needed because of the diverse and ongoing cybersecurity challenges the DoD faces. For instance, the Pentagon receives about 36 million email messages containing phishing attacks and ransomware every day. Despite its best efforts, a 2018 data breach affecting a system operated by a defense contractor at the Pentagon exposed more than 30,000 DoD staff’s personal information.

The Department of Homeland Security issued a warning at the beginning of 2020, cautioning of a possible rise in cyberattacks targeting government networks due to increasing tensions in the Middle East. There is also the constant threat of state-sponsored cyberattacks against the US by China, North Korea, and Russia. Protecting sensitive information is a never-ending battle, and this necessitated a revision of the DoD’s cybersecurity frameworks. Other changes and requirements have been implemented in the past, like DFARS, but adoption was slower than expected, so a new process is needed.

Ready to start your CMMC process? Wursta is here to help

If you’re using Google as your security system, you’re in luck. Google is a highly secure platform with compliance certifications & can help companies become CMMC Compliant:

  • Data Loss Prevention (DLP)
  • Device Management
  • Compliance
  • Integrations
  • Security/Email Security

Contact us to learn more about Wursta’s CMMC readiness assessment and gap analysis.

To start the process of certification, it’s best to prep with a Registered Practitioner, like myself. Registered Practitioners, affiliated with the CMMC-AB, assist organizations with preparation for the certification. The CMMC-AB is an independent organization that provides Cybersecurity Maturity Model Certification. CMMC-AB provides training and certification to Assessors and Practitioners to assist in preparing organizations for certification. There are also CMMC Third Party Assessment Organizations (C3PAOs), which are trained and accredited to assess organizations. It is important to note that anyone who helps prepare an organization for certification cannot also assess that organization. So it’s easiest (and more cost-effective) to consult with a Registered Practitioner before taking the assessment.

Follow these 4 steps to CMMC:

  1. Learn about the CMMC’s technical requirements and prepare not only for certification but long-term cybersecurity agility
  2. Meet the initial 15 safeguarding requirements under FAR
  3. If any Controlled Unclassified Information (CUI) is created as a result of the contract, meet 110 controls under NIST 800-171 (due to the DFARS clause 252.204-7012)
  4. Practice all cybersecurity controls for one year prior to certification

Wursta is here to help you with all 4 steps, especially the first step. We have a readiness assessment and gap analysis available. After the initial assessment, a remediation plan is designed. We guide you through each step of the process, as well as establish appropriate monitoring, reporting, and documentation. To find out more and plan when your company should be fully compliant, please contact us.

This blog post was originally posted on March 19, 2021 for an event on March 11, 2021 and has been updated.