CMMC is Here – Are You Ready?
As if 2020 couldn’t throw more at the business industry, there is also a major defense contractor regulation companies must comply with. On Jan. 31, 2020, the U.S. Department of Defense released the first version of the Cybersecurity Maturity Model Certification. Also known as NIST 800-171, CMMC was created to allow companies that had contracts with the Department of Defense to show they were protecting Controlled Unclassified Information (CUI). This information includes personal and confidential data that resided on nonfederal systems that are being operated on behalf of a federal agency.
Initially, contractors could self-certify that they met the NIST requirements. CMMC version 1 changes that by requiring a third-party assessment of the contractor’s compliance and by mandating that the contractor demonstrate the capability to adapt to evolving cyberthreats against CUI.
It is estimated that the new CMMC requirement will impact more than 300,000 companies, ranging from large system integrators to SMBs. And each company could be affected differently based on the five tiers that different contractors will have to meet:
- Level 1 – This tier covers the basic safeguarding of contractor information systems as listed in FAR Clause 52.204.21.
- Level 2 – The builds upon Level 1 by requiring greater cyber hygiene to protect CUI by applying an additional 48 controls from NIST 800-171r1. In fact, Level 2 has an additional 55 practices over Level 1 for a total of 72 practices.
- Level 3 – This level requires “good cyber hygiene” to protect CUI. It encompasses all practices from NIST SP 800-171-r1.
- Level 4 – This level requires contractors review and measure all their practices along with establishing response procedures to changing techniques and procedures for advanced persistent threats.
- Level 5 – This level requires that company meets all previous levels and have a standard process in place for the organization to respond to and defend against advanced persistent threats.
If you sell or are going to sell to the government, this affects you. There are many steps your business can be taking today to comply with CMMC. You don’t need to go at it alone. Give 2W Tech a call today and let us help your business prepare for the Cybersecurity Maturity Model Certification and give you audit support. 2W Tech is a technology service provider that has a proven track record with our Cybersecurity Compliance Program.