CMMC: Cybersecurity Maturity Model Certification
Carol: Last week the Department of Defense published its final rule for CMMC, which means that it’s getting very close to becoming a requirement for certain businesses. So, Lliam, tell us, first of all, what is CMMC, and also which businesses need to be aware of it?
Lliam: The CMMC is a cybersecurity framework, and it was designed for companies that are doing business with the Department of Defense, right? So, as you would expect, you would hope that companies that are doing business with the Department of Defense are protecting our assets. And so, this framework is a way of making sure that people who are handling sensitive information or they are creating products or services, that there are certain restrictions that they have to adhere to in order to be able to protect those physical and digital assets.
Carol: Realistically, how soon could CMMC become a requirement? Because they’ve been talking about this for years, right?
Lliam: They have, right? This is one of those things that the Department of Defense knew they needed to start creating a framework for. They created an organization, or they partnered with an organization called CyberAB in order to create that content, and they went into what we call the rulemaking process, right? And this rulemaking process is what kinds of companies? What kinds of data? How do we protect it? Because not everyone is created the same, right?
So, somebody who is selling paper clips to the government versus somebody who is creating weapons…those aren’t the same kind of people. Right. So, originally, we had five different levels of CMMC, and then through the rulemaking process now with 2.0, we’ve narrowed that down to three levels.
And as we’ve gone through this rulemaking process, we’re now sort of turning that corner where that first quarter of 2025 is really when you’re going to start seeing it in contracts and CMMC is going to have some real teeth in terms of auditability and there’s going to be these expectations that are set that these companies are going to be CMMC 2.0 compliant.
Carol: How long does that process take? If we’re looking at the first quarter of 2025, that’s just, a few months away.
Lliam: Sure. And so, it really depends on what level you are, right? So, as you would expect, a level-one business, Has different requirements than a level-two or level-three business.
And really a level-three businesses is really that 10%. These are people who are dealing with highly sensitive information. And so, to kind of go back to the question you’re asking, it takes as little as three months all the way up to 12, and it could be 18 months. By the time you get your organization ready, you go through a formal audit process.
You didn’t have to go through that remediation process because you’re probably not going to pass the first time around, right? And so, you’re probably going to want to make some changes based on the audit, and then you’re going to be compliant. And so, to be really simple about your question, it could be as little as three months, could be 12 or 18 months.
Carol: I would imagine that companies that have to be CMMC compliant, if they haven’t already started down this road, they’re probably behind the eight ball now, right?
Lliam: Yeah, at this point, I think you would be considered to be behind, right? You should have already started because, to the point I made a minute ago, you’re gonna have to get your network ready, right?
And then if you aren’t under the self-attestation at level one, if you’re at a higher level, you’re going to have to find an auditor, they’re going to have to do the audit, and then you’re going to have to remediate, right? And these are all going to be requirements that are going to be in the contracts that you signed with the DoD. And so, you’re going to want to make sure that you are compliant to the letter of the law so that you can service those contracts in the spirit in which they were signed.
Carol: And you would probably be ineligible to bid on contracts if you’re not CMMC certified. Is that right?
Lliam: So, actually, the way that it works is that you can bid on a contract if you are not CMMC certified. But if you are awarded the contract, you then have to become CMMC compliant before you can start working on that contract. This could obviously pose a logistical problem. When you’re looking at 3 to 12 or 18 months and you become awarded a contract, You could find yourself very quickly in breach of that contract because you have not become CMMC certified.
And so, what you’re seeing is a lot of companies know that this is where they’re going. They know that that’s what they do. And so they are starting to go down that path of making sure that they are becoming CMMC compliant. They are making sure that they’re going through that audit process so that they can comfortably bid on all of these contracts, whether they are existing customers or these are new contracts,
Carol: We have a CMMC Audit Checklist on our website, and I’ll post the link in the post so you can go take a look at that. You can download it if you want, but what are the first steps? Let’s just say a company hasn’t done anything yet, and they’re like, oh my gosh, we’ve got to do something. What are the first steps that a company needs to do to prepare for that CMMC audit.
Lliam: The first step is to figure out what level your organization is because as I alluded to a minute ago, each level has different requirements, right? Level one has less than level two, level two less than level three. And so, the first thing you’d want to figure out is what level is your organization.
And then you’d want to move into a gap analysis to understand what you do have and what you don’t have. And then you would want to start down that process of making sure that you get yourself ready to undergo an audit.
And then you’re going to want to hire an auditor and actually be audited and then go through that remediation process to become certified. And so, there is a process to this, and it starts with really making sure that you understand your level, you then understand that gap analysis, what you’re missing that you might need.
You plug any gaps that you have, then you go through the audit process. And last you go through that remediation and certification process.
Carol: So, and it’s way more complicated than you’re making it out to be.
Lliam: These are large milestones, right? These are sort of the biggest steps that you’re going to face.
And I can tell you that companies that we’ve helped go through this and prepare for this, it takes a lot of time, right? There are a lot of documents to read. There are a lot of policies that you have to create, and I think where people get off track a little bit is some of these policies are IT-related, and some of them are administrative-related, like how your employees act in certain situations. So, CMMC is not solely an IT function, right?
It involves management. It involves policies and procedures at the company level as well. Not just, can we hire some IT guys? Can we buy some technology in order to become compliant? That may be a part of your solution, but it’s only a part of the solution.
Download the CMMC Audit Checklist HERE.
Share: