If your law firm or your client’s company wish to capture some of the US Department of Defense’s (DOD) $600 billion annual budget, the Cybersecurity Maturity Model Certification (CMMC) will be a requirement for contract awards and will be rolled out over the next five years.
CMMC v1.0 was released January 31, 2020. Revisions will be ongoing. Katie Arrington. DOD CISO, announced all DOD contractors must upload a self-assessment by December 1, 2020 due to a new DFARS Interim Rule to prove their compliance with NIST 800-171.
YOU CAN’T FAKE IT
CMMC is expected to affect over 300,000 companies. If you’re awarded a contract that handles Controlled Unclassified Information (CUI) or you take payment for a contract award from the DOD that includes CUI, you have an obligation to protect it. A required level of cybersecurity maturity will have to be certified by a CMMC third-party assessor organization (C3PAO).
The standard had been set by National Institute of Standards and Technology (NIST) 800-171, and the government required most supply chain defense contractors to adhere to up to 110 security controls.
In fact, the “Christian Doctrine” that was created by a Federal Claims Court in 1963 kind of means that all DOD contractors are subject to the DFARS clause that requires compliance with NIST 800-171.
The problem was that it was all self-attestation, and most contractors were falsely attesting to compliance. You can’t fake it anymore. You can’t avoid it. Several government contractors in the supply chain were getting hacked.
FIND A CERTIFIED ASSESSOR
Under CMMC, you must have the assessment done on your premises by an accredited CP3AO. Registered Provider Organizations (RPOs), like PTG can help you to prepare for the assessment. Obviously, this is affecting defense contractors currently in the military supply chain.
The regulations that exist around personal identifiable information (PII), whether it’s HIPAA for healthcare or Sarbanes-Oxley and other compliance laws for other industries, all are derivatives of the NIST cybersecurity framework. The framework is way past due for an overhaul. CMMC is a robust framework that is the new ISO standard that can be easily applied to any business that handles sensitive information.
WHAT WILL IT COST?
What will it cost to get my firm or my client to CMMC compliant? The answer is, it depends. Cost is highly dependent on cybersecurity maturity. The CMMC contains five levels, ranging from Basic Hygiene (1) to Advanced (5). Most DOD contracts will require levels 1, 2 or 3. The higher you go up the ladder, the more difficult it is to attain.
And it’s not just about getting the proper procedures and security controls in place, it’s also about having the manpower to do ongoing management of the cybersecurity and be able to supply two forms of supporting evidence for each of the controls. Your in-house IT person will most likely need help with the policies, procedures, and security controls. Consider hiring an RPO like PTG that’s accredited by the CMMCAB.
IDEAL TIME TO UPGRADE
The CMMC regulations can serve as a wake-up call for firms and small businesses even if they don’t do business with the DOD right now, as this could bleed over into their industry if they are working with sensitive information, personal identifiable information (PII), or patient health information (PHI).
Visit https://cmmc.petronellatech.com/ – Get your FREE CMMC Guidebook and submit the self-assessment.
Now is the time to prepare for the CMMC rather than waiting until it’s mandated.
The reason I suspect that this will bleed into other industries, is due to the cyber threat called “island hopping,” where hackers use one breach to jump to the next victim.
A good start is to get to the most basic Level 1. Most firms are not compliant.
NEXT STEPS:
To find an accredited assessor, visit https://www.cmmcab.org/. Hire an RPO to help you prepare for the official assessment provided by the C3PAO. The CMMCAB makes sure that you’re hiring a company that has passed all the rigorous tests to make sure that they understand the very complex process as well as the ethics.
