What is CMMC?
If you haven’t heard of CMMC you are not alone, up until recently the Cybersecurity Maturity Model Certification or CMMC was only a focus of the Defense Industrial Base (DIB), contractors and subcontractors have watching the implementation and rollout of a new standard and certification for the last few months. With the acceptance and approval of the first batch of assessors expected shortly the auditing process will begin shortly thereafter.
The Cybersecurity Maturity Model Certification (CMMC) is a new requirement that will in essence grade the DIB contractors infrastructure against a set of up to 171 security controls. The process to be considered compliant at one of these levels requires all members of the DIB to submit to an audit by a third party organization (C3PAO) and assessor. The assessor then submits the findings of the audit to an accreditation body who then confirms which level applies to the audited company. The companies CMMC level is then listed on a publicly accessible database, and the confirmed level will determine what DoD contracts the firm is eligible to bid on.
I’m not part of the Defense industry, should I care?
For now obtaining and maintaining a CMMC certification is only a requirement for Defense contractors, but many within the industry expect limitation to not last long. Currently, CMMC level requirements will begin to be listed in Defense RFIs and RFPs as early as September, at a minimum firms will most likely be required to obtain a level 1 certification as they will be dealing with FCI or Federal Contract Information.
Up until recently the discussion about a broader Federal rollout was considered an eventual or 10 year timeline. That, however, has changed. We are now seeing the CMMC language in other federal contracts including the most recent GSA STARS III contract. The new contract from GSA states it “reserves the right” to require CMMC certifications for small businesses awarded spots on the governmentwide IT contracting vehicle and “While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification,”
Echoed and applauded by numerous members of the CMMC program team including Ty Schreiber and Katie Arrington and others within the Cyber Security world. Many are hopeful that CMMC could not only become the gold standard in working on and bidding on government contracts, but also CMMC could be viewed as an international standard or a requirement for cyber insurance. Should the later hold true, maintaining a CMMC level will not only affect those within the government contracting world attempting to win federal contracts, but also non-government contracts as well.
What do I need I do now?
In relation to CMMC the short answer is no you do not need to do anything…. for now. The CMMC requirements only effect the defense base and its cyber security teams. However, that doesn’t mean you should turn a blind eye to this either.
With a rise of cybercrime and system attacks during the pandemic and a shift to a more remote and cloud-based work force, establishing a more robust cyber security infrastructure is more important now than ever before. According to the FBI’s Internet Cyber Complaint Center (IC3) 2019 report, in 2018 the total losses in the United States from cybercrime were $2.8 Billion and are expected to reach $6 Trillion annually by 2021 across the global.
With the average loss to a company of $2.7 Million that same year, properly securing your infrastructure client data and intellectual property against a malicious attack could save your company millions in losses.
How can Summit Help?
At Summit Business Technologies our team utilizes our 30+ years of experience to assist you in securing your company data. Our team of cyber security team will walk through a cyber security assessment and provide you with the necessary plan of action and milestones you will need to complete to remediate any gaps in your infrastructure. In addition to the planning and assessment, our team can provide you with the right technology tools, policies and procedures should you need assistance in completing those items in your POAM.
If you would like to know more about our security team offerings contact us at firstname.lastname@example.org or give us a call at 443-795-5112.