Should Your Organization Seek CMMC Certification?

Should Your Organization Seek CMMC Certification?

Best Guidance for CMMC Certification

For help navigating CMMC, contact HRCT today. We can also handle your IT infrastructure needs so you can concentrate on fulfilling your defense contracts.  

Your company can gain a lot by seeking CMMC if you do any work with defense contracts. Cybersecurity Maturity Model Certification is the result of the Department of Defense’s efforts to keep the Defense Industrial Base (DIB) secure. To do so, the DoD is creating a new cybersecurity assessment model that companies can become certified for.

HRCT helps companies seeking certifications such as the CMMC. Let us help your company work through the red tape and become eligible for defense contracts.

How Was the Standard Developed?

The DoD is working with the Applied Physics Laboratory at John Hopkins University as well as the Software Engineering Institute (SEI) at Carnegie Mellon University to analyze a number of cybersecurity standards. The goal is to create a single combined standard. Examples provided to date concentrate on NIST 800-171 as the central standard. Defense contractors receive scores in 14 areas with individual controls. These grades would represent the degree of sophistication in the company’s cybersecurity defenses. Another assessment addresses institutionalization (pervasiveness) of the company’s cybersecurity policies and procedures.

Will the Certification Be Expensive?

Companies wishing to do business with the Department of Defense’s (DoD) will need Cybersecurity Maturity Model Certification (CMMC) to win DoD contracts. However, the pervasive nature of the changes involves changing systems and procedures, which may be cost-prohibitive for some companies.

Fortunately, the DoD has stated that CMMC preparation is an “allowable cost.” That means that companies can bill the expense back to the DoD. The level of certification will be specified in sections L and M of the DoD’s standard Request for Proposals (RFP) template used to bid on defense contracts. In other words, companies bidding of DoD contracts now receive reimbursement to prepare for CMMC Assessment and remediation to achieve the necessary cybersecurity controls laid out in the contract.

Over the past few years, the DoD has been tweaking its requirements, making it difficult for companies to navigate the changing landscape. To these companies, the standardization and chargeback to the DoD is welcome news.

How Does Your Organization Achieve CMMC Status?

If you wish to qualify for the CMMC, coordinate with an independent commercial certification agency to schedule your assessment. During the process, you specify what level of certification you wish to pursue. Each level has additional business requirements. Once your company demonstrates the required capabilities and organizational maturity, it receives the certification. Eligibility is determined by an independent assessor.

What Are the Different CMMC Levels?

Nothing has been set in stone, but here are the levels we know about so far:

  • “Basic Cyber Hygiene” includes 17 controls based on NIST 800-171 rev1.
  • “Intermediate Cyber Hygiene” includes another 46 controls straight out of NIST 800-171 rev1.
  • “Good Cyber Hygiene” – includes all control outlined in NIST 800-171 rev1, which are 47 more than in previous levels.
  • “Proactive” – Includes Level 1-3 controls plus 26 controls documented in NIST 800-171 RevB (still under review).
  • “Advanced / Progressive” – The final level adds in four more NIST 800-171 RevB controls.

If you need help navigating the emerging standards surrounding CMMC, contact HRCT today. We can also handle your IT infrastructure needs so you can concentrate on fulfilling your defense contracts.