As of Nov 2021, CMMC 2.0 was introduced and the information below may not apply in its entirety.
Authorized RPOs Are Available to Assist
Are you a registered contractor in the Department of Defense supply chain? Do you want to remain in the chain in order to continue to bid on DoD work?
Unless you’ve already begun the lengthy process of updating your cybersecurity program to prepare for the CMMC assessment, the clock is ticking on CMMC compliance for your organization.
The CMMC Accreditation Board has approved the first group of Registered Provider Organizations (RPOs) to assist contractors in preparing for the mandatory CMMC assessment. The Board is also approving third-party assessors to conduct those required assessments in order to certify contractors at one of five levels of cybersecurity compliance.
Securing the DoD Supply Chain
To secure its extensive and vulnerable supply chain, DoD this year announced that contractors will no longer be permitted to self-attest to their cybersecurity compliance, but instead must be certified compliant by an accredited third party.
The new Cybersecurity Maturity Model Certification (CMMC) was developed to better protect the sensitive data housed in defense contractors’ information systems, which have proven to be attractive targets for hackers, unfriendly nation states, and evolving advanced threats. The new model is highly complex, encompassing a variety of requirements across five certification levels which range from Basic Cyber Hygiene (Level 1) to Advanced/Progressive Cybersecurity (Level 5).
Certain DoD Requests for Proposals (RFPs) will require all bidding contractors to meet Basic certification in the near term, with a phased implementation plan requiring certification, at the appropriate level for the individual organization, in order to bid on any DoD contract.
When Do CMMC Requirements Take Effect?
The window opened in November 2020 and is open now.
The CMMC program was introduced in January 2020. Defense contractors and subcontractors were able to begin the process of becoming compliant as early as November 2020. The preparation time to become certifiably compliant is estimated to range from six to 12 months depending on the contractor’s current state of cybersecurity.
Once certification under the CMMC is achieved, it must be maintained and renewed every three years to remain current.
Contractors and subcontractors have a five-year period to achieve compliance, from November 2020 to October 2025. For businesses, both large and small, who are competing for RFPs and contracts that specify a requirement for CMMC, it will be mandatory to have the appropriate CMMC certification level in order to be considered.
Who Is Required to be CMMC Compliant?
The Federal Procurement Data System indicates there are 212,657 contractors, with 8,309 subcontractors, for a total of 220,966 in the DoD supply chain.
By October 1, 2025, all entities desiring to be awarded DoD contracts and orders will be required to have achieved the CMMC Level identified in the RFP or other solicitation, from Level 1 to Level 5. It is estimated that 129,810 contractors will pursue CMMC certification during the initial five-year period, representing 59% of the total DoD supply chain.
Exceptions may be made for contracts or orders exclusively for (1) commercially available off-the-shelf items, or (2) those valued at or below the micro-purchase threshold, which has been raised from $3,500 to $10,000.
Smaller Contractors Compromise 74% of Supply Chain
Of the total 220,966 contactors, the lion’s share are small businesses. Some 74%, or approximately 163,391, are small contractors and subs. Unfortunately, it is these smaller businesses who are more likely to be overwhelmed by the complexity of the new cybersecurity compliance model, as has frequently been the case with other federal regulations.
The good news is that most smaller contractors are expected to have to comply with Basic Cybersecurity requirements (Level 1), rather than a more challenging level of security. And assistance is available immediately to help these contractors prepare to implement Level 1 requirements.
Top Five Industries Specified for CMMC Compliance
The top five industries governed by the CMMC rule, according to the Federal Register, Volume 85, Number 189, dated September 29, 2020, are these:
- Research and Development in the Physical, Engineering, and Life Sciences (Except Biotechnology) (NAICS code 541712)
- Engineering Services (NAICS 541330)
- Commercial and Institutional Building Construction (NAICS 236220)
- Other Computer Related Services (NAICS 541519)
- Facilities Support Services (NAICS 561210)
The North American Industry Classification System (NAICS) is the standard used by federal statistical agencies in classifying businesses for the purpose of collecting, analyzing, and publishing statistical data about the U.S. business economy.
The five industries above were identified based on review of NAICS codes associated with contract awards that include specific reference to FAR 52.204–21 or DFARS 252.204–7012 requirements, which have been incorporated into the CMMC requirements
The Clock is Ticking
Some of the largest DoD contractors have already begun their journey toward CMMC compliance. The stakes are enormously high, and the faster they move from the old self-attestation model to the new third-party certification model, the better their position in competing for upcoming DoD contracts.
For the 74% of the supply chain that consists of smaller contractors, expert guidance and practical assistance are immediately available to ensure they are also well-prepared to undergo the third-party cybersecurity assessment.
Now, there is no reason to postpone the inevitable, jeopardize good standing in the supply chain, or place future contract awards at risk.
Registered Provider Organizations are authorized to assist contractors in preparing for their new certification and CMMC compliance. In recent months, the Accreditation Body for CMMC has been evaluating applicants for RPO status.
To help contractors begin the path to CMMC compliance and preparing for the third-party assessment, the first RPOs have been officially accredited as of December 2020, and 24By7Security was among the first to earn RPO status.
CMMC Readiness Service Available Immediately
24By7Security has successfully developed a CMMC Readiness Service to thoroughly prepare contractors for compliance and assessment, which is mandatory to ensure a contractor meets all requirements before being awarded certification by the CMMC Accreditation Body.
”We are proud to have been approved as a Registered Provider Organization, with the CMMC Accreditation Body’s validation of our experience and expertise,” said Sanjay Deo, President and Founder of 24By7Security, Inc. “We are fully equipped, approved, and registered to assist defense contractors in successfully complying with CMMC requirements in order to pass the CMMC assessment.”
Ten Steps to Compliance
The CMMC Readiness Service developed by 24By7Security includes four phases: gap assessment, remediation, audit and certification, and ongoing optimization. The service was carefully designed to avoid waste and error and to be completed in a reasonable timeframe.
The ten steps of the certification readiness process begin with identifying a contractor’s appropriate level of cybersecurity certification within the new model. This includes documenting their current cybersecurity state, as well as documenting the gaps between their current state and their optimum cybersecurity level.
Subsequent steps include preparing a comprehensive plan to address the identified gaps, and then executing the plan to remediate those gaps.
Once completed, a Certified Third Party Assessor Organization is identified and scheduled to conduct the audit and certify the contractor.
Other steps entail preparing the required volumes of policies and procedures and performing vulnerability assessments, penetration testing, and similar services to test the contractor’s procedures and cybersecurity protections against the new CMMC requirements.
Recognizing the complexity of the certification model and the variety of regulatory requirements in play, 24By7Security also developed a proprietary programmatic tool that accounts for all elements required by the model. This tool enables the CMMC Readiness Service to be performed consistently and thoroughly and thereby helps contractors achieve certification readiness very efficiently.
To ensure that the proper level of cybersecurity is maintained by contractors seeking and achieving certification, the final step of the CMMC Readiness Service involves monitoring contractor security controls and optimizing them throughout the certification’s three-year lifespan. In this way, contractors will be able to maintain compliant defense contractor status and successfully renew their certification.
Unmatched Cybersecurity Expertise
24By7Security has unmatched experience in developing security frameworks that enable organizations to meet and maintain cybersecurity compliance requirements. The CMMC Readiness Service is an outstanding example of such a framework. As a respected cybersecurity firm with dozens of certifications and multiple industry and professional awards, 24By7Security has conducted more than 1,000 security assessments against a variety of regulatory requirements.
Summary
The Department of Defense supply chain is extensive, consisting of nearly 221,000 contractors and subcontractors in five primary industries, ranging from engineering and R&D to building construction and facilities support services to computer-related services. Most contractors are expected to complete the new Cybersecurity Maturity Model Certification within the initial five-year compliance window.
With the compliance window open as of November 2020, the largest contractors have already begun implementing CMMC requirements and fast-tracking toward their third-party assessments. However, nearly three-quarters of the supply chain (74%) are smaller contractors in need of expert guidance and practical assistance. The CMMC Readiness Service, a thorough program developed by 24By7Security, is available immediately to assist contractors in successfully preparing for CMMC compliance and certification.
As an approved Registered Provider Organization, 24By7Security is now scheduling CMMC Readiness Service projects with defense contractors who desire to secure a competitive edge by achieving compliance certification as efficiently as possible.