Update: CMMC 2.0 was announced in November 2021, bringing large scale changes to the model. Learn more about the changes.
As small businesses face the requirements of the new CMMC update and launch, they’ll quickly realize the crucial need for careful, intentional planning in pursuit of meeting the new benchmarks. CMMC introduces a major shift in cybersecurity – one that will strengthen the infrastructure of American businesses, but not without considerable work.
The Department of Defense has developed the framework to better equip Defense Industrial Base (DIB) contractors as they pursue contracts with both government and non-government agencies. Though not to be officially announced until January 2020, the specifics of the requirements aim to majorly amp up cyber protection practices, embracing not only NIST SP 800-171 compliance standards, but the requirements of ISO27001, AIA MAS 9933, FIPS, and others. Additionally, the new program acknowledges the need for security levels based on business practice. Those dealing with low-risk industries will be subject to fewer compliance requirements than high-risk organizations.
Businesses will be subject to independent audits to certify compliance to CMMC levels. Further, contract requests will be required to list compliance levels at the RFP stage, and only companies who qualify for the lowest acceptable level or higher will be able to bid those projects.
Ultimately, this change could start showing effects as early as spring of 2020 – a tight time frame to adopt and comply with any new requirements, especially ones that are stringent and detailed. It’s no doubt that small businesses need to be diligent through planning in order to achieve prompt certification. Despite the lack of exact details, companies can get a jump start on the program by following a few preliminary recommendations.
Understand your company’s security needs
As we’ve already discussed, companies will only need to comply to the level of security necessary for their business’ network. But failing to meet the minimum requirements of your potential customers may mean loss of contracts. Determine exactly what information in your organization could put you or your stakeholders at risk. If you’re not dealing with classified or other sensitive information, CMMC levels one or two may satisfy your needs. Take a holistic look at the information you work with and make a preliminary determination of the work you will need to complete.
Complete an internal audit
In examining the information you use and store, you will get a jump start on the exploration of your existing security programs and protocol. Use the momentum of your first task (determining your security needs) to dig into the processes you have in place. Complete an internal audit – either with the help of your IT team or with a third-party advisor to identify potential inconsistencies and lapses in your current security systems and practices. The National Institute of Standard and Technology’s Handbook 162 is a great resource for any company certifying to CMMC up to level three.
Partner with a third-party expert
Whether you need a full program overhaul or a handful of calculated adjustments, partnering with an organization who has done the work to become an expert in the new CMMC update requirements will ensure you hit the mark. By allowing a third-party organization to help you formally evaluate and perfect your cybersecurity systems, you’ll get an objective view of your system’s faults as well as a professional and experienced recommendations for correction and enhancement. Don’t wait to find a partner for this project – the tight timeline will mean that consultants and third-party agencies will quickly fill their calendars after the start of the year. It’s crucial to get on board with someone you trust.
It can be intimidating for small businesses to approach requirements like the CMMC update. Time, resources, and, especially, cost come into question as you determine the next best steps to take as a small business. Rest assured that the DoD does not want cost to be a barrier – financial assistance will be available to help with initial certification, and any remaining expense can be rolled into each company’s billable rate.
Change is inevitable – the only constant. With increasing cybersecurity threats to our business and our nation, adoption of the new CMMC update requirements will ensure the safety and longevity of our American small businesses far into the future.
Contact us today about working toward compliance to NIST 800-171/CMMC.