As the Department of Defense’s (DoD) CMMC 2.0 rollout date approaches, executives are increasingly wondering when they need to be CMMC 2.0 certified. There is no one answer to this question, however, since requirements and timelines vary depending on contracts and suppliers. To help you understand what is required for CMMC 2.0 certification, we’ll review the basics including the launch date, assessment guide and levels of certification.
CMMC 2.0 is the new version of the Cybersecurity Maturity Model Certification (CMMC) program, developed by the U.S. Department of Defense to improve cybersecurity within the defense industrial base (DIB) sector. The primary goal of CMMC 2.0 is to provide improved protection for Controlled Unclassified Information (CUI) through mandatory certification standards that all suppliers must adhere to in order to win defense contracts. The certification requires organizations to have appropriate security measures in place, including higher levels of access control and continuous monitoring, as well as more comprehensive processes for securely handling CUI-related data and documents.
CMMC 2.0 implements tiered assessment requirements tied to levels of maturity, each with increasingly stringent requirements for implementing security measures and practices. Level 1 focuses on basic cyber hygiene such as awareness training, while Level 5—the highest level—requires advanced capabilities such as risk management and incident response planning.Organizations must demonstrate their compliance with each level’s requirements in order to be certified at that level. In addition, third-party auditors will assess a company’s compliance with the standard’s requirements during a CMMC audit.
Once CMMC 2.0 is implemented in March 2023, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.
Additionally, some government contractors may be required sooner depending upon the nature of their work and specific contractual agreements they may have with the DoD. Regardless of when exactly your organization may need to certify under CMMC 2.0, it’s important to start preparing now so you can ensure your compliance when it does come into effect across all DIB contracts.
Under CMMC 2.0 certification program, third-party accredited assessors will evaluate a company’s ability to comply with its cybersecurity requirements based on an assessment guide provided by DoD prior to an audit being conducted onsite at the organization’s facilities (if necessary).
This CMMC 2.0 assessment guide details what auditors will look for during an assessment or audit including:
- Policies and procedures related to cybersecurity operations
- Which tools are used in cyber operations
- How IT assets are inventoried
- Whether measures are in place prevent unauthorized access
- How vulnerabilities are handled
- If an incident response plan exists
- If personnel have been trained on proper cybersecurity protocols
- Other criteria related to complying with various parts of the standard at each level of maturity
This comprehensive assessment process helps ensure that organizations are adhering strictly to all aspects of their cybersecurity policy before being certified at any particular level by DoD assessors/auditors.
What steps can organizations take to ensure they are ready for certification when it launches?
Organizations should begin preparing now so they can achieve successful certification when mandated by DoD contracts arrives in 2023—or sooner due contractual agreements already established, since those contracts may require earlier certifications—by following these steps below:
Develop a solid understanding of the new version of the standard—familiarize yourself with all five levels including what capabilities must be implemented and demonstrated within each one before achieving successful certification at that level(s).
Evaluate current processes against the updated standards. Compare any differences between what you’re currently doing and what’s required so you know what to improve prior to successfully completing your final audit from a qualified third-party agency approved by the DoD.
Update existing IT policies and procedures accordingly. Make sure you’re continuously aligning updated policies and procedures towards meeting all aspects outlined within both versions simultaneously so nothing gets overlooked prior to getting checked off during your audit process.
Continuous education and awareness initiatives help keep personnel up-to-date on newest threats plus potential risks associated w/them while also keeping everyone informed about the latest industry best practices related to protecting confidential and classified information.
As we approach closer towards the CMMC 2.0 launch date early next year—or sooner depending upon existing contractual agreements already in place—you don’t want to risk losing a contract because you weren’t prepared. BL King can help you understand what your business needs to do to get up to speed with the latest requirements. We identify steps you can take today to prepare ahead time, thereby mitigating any unnecessary delays that occur from a lack of guidance during the planning stages. Contact our team today to schedule your CMMC 2.0 assessment, and we’ll make sure you don’t miss out on future opportunities due to compliance issues.