Which of these statements is true? Bananas grow on trees. The Great Wall of China can be seen from space. CMMC compliance won’t impact your work with the Department of Defense. The answer: none of them.

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s new cybersecurity standard, and certification will be required for all contractors before they can bid on government projects. There are five levels of certification, which are earned based on the security safeguards in place to protect sensitive government information.

The DoD is still developing the full compliance process for the CMMC, but requests for proposals (RFPs) requiring certification will roll out in September. This has created a lot of confusion among contractors, leading to several misconceptions about the CMMC and its certification process. In this blog, we’ll take a look at some of the most common myths about the CMMC to help you understand this new framework and prepare for certification. 

Myth #1: We're already compliant with NIST 800-171, so we don't need the CMMC certification.

The CMMC is built on the NIST SP 800-171 framework, and both frameworks aim to protect controlled unclassified information (CUI). However, they are not one and the same, and alignment with one does not equal compliance with the other. A few differences between the two standards include:

  CMMC NIST 800-171
Scope:

Assesses the maturity of a company’s cybersecurity processes and practices

Assesses the cybersecurity controls of a company

Compliance:

Five levels of compliance

One level of compliance

Security Domains:

17 domains

14 domains
Certification: 

Third-party audit

Self-attestation
Obligation:

Contractual requirement

Recommended security practices
Purpose:

Reducing risk in DoD supply chains

Adopting cybersecurity best practices

Since the CMMC requires a third-party audit, simply being NIST 800-171 compliant is not enough to earn a CMMC certification. On the other hand, you must have the NIST 800-171 as a foundation to earn your CMMC certification. Alignment with both frameworks is essential if you plan to work with the DoD. 

Myth #2: Our IT department can prepare us for CMMC certification.

The CMMC has a total of 17 domains and 171 cyber hygiene practices (if attempting to certify to Level 5). If your program is already aligned with NIST SP 800-171 requirements (which equates to a CMMC Level 3 certification), you’re in good shape. But realistically, the CMMC is not something one IT team can handle.

While your IT team can help implement cybersecurity processes and controls, your cybersecurity team must be the ones who set your strategy and design the controls needed to align with the CMMC. In addition, the CMMC is a new framework and prone to changes. Therefore, you need a strong project manager to stay on top of updates, keep the project on budget, and keep the compliance process running smoothly. Partnering with a cybersecurity services firm that has CMMC expertise can be an efficient use of resources and accelerate the certification process once audits begin. 

Myth #3: We can just use technology to achieve compliance with the CMMC.

While technology can help with certification efforts, software alone will not put your company in compliance with the CMMC. That’s because the CMMC goes beyond just addressing IT security. For example, the CMMC addresses the issue of human error (which accounted for a quarter of data breaches in 2019), requiring contractors to address the practices and processes around physical security, personnel security, and even employee awareness and training. Technology can help support compliance efforts but achieving a high maturity level will require both your tools and your team.

Myth #4: The CMMC won't actually impact my ability to win DoD contracts. 

To bid on contracts in the past, companies in the defense industrial base (DIB) could self-certify their compliance with Defense Federal Acquisition Regulations (DFARS), which relies on NIST requirements. Since a supply chain is only as strong as its weakest link, this inevitably led to various data breaches and the compromise of government intellectual property.

Soon, all contractors will need to be CMMC-certified at the level specified in the RFP to win, participate in, or even bid on a contract. Those companies that are lacking the minimum CMMC level requested will be automatically barred from bidding or participating.

Myth #5: The CMMC process is too time consuming.

Because the CMMC will force companies to assess a wide scope of information security processes, it will require ample time and resources to achieve compliance. The CMMC Accreditation Body (AB) recommends that companies should begin planning their certification at least 6 months prior to their estimated start date. However, there are ways to streamline this process.

First, the CMMC is built on established security frameworks that many organizations have already adopted, like NIST 800-171 and 800-53. CMMC preparation can be done in tandem with other cybersecurity assessments to save time and resources. Another option is to partner with a services firm like Focal Point, who is well-versed in the CMMC’s requirements, to perform initial readiness assessments and build a Plan of Action & Milestones (POA&M).

Myth #6: The CMMC is too expensive and isn't justified by ROI.

For many organizations, adding the cost of CMMC compliance to their security budget right now is not an option, but there’s some good news. The DoD has confirmed that the costs incurred to prepare for CMMC compliance will be considered “allowable” and “reimbursable,” meaning contractors can include these costs as part of their billable rates within future contracts.

Upfront costs will depend on a number of factors including the maturity of your current NIST SP 800-171 program (compliance is equivalent to a Level 3 certification), the size of your organization, third-party support, the scope of your CUI, and the certification level you’re hoping to achieve. Despite the initial investment, the revenue gained from ongoing DoD contracts should provide more than a significant return to offset the initial costs. The question really is "Will you be able to afford not complying with the CMMC?"

Myth #7: CMMC audits have already started.

Under the CMMC, companies will not be allowed to self-certify and must be audited by a third-party assessment organization (C3PAO) or a credited individual assessor to achieve compliance. The C3PAO or independent assessor will evaluate a company’s security environment for gaps and weaknesses to determine if the CMMC requirements have been met for that specific level.

At the end of June, the CMMC-AB began accepting registrations for C3PAOs and certified individual assessors, but no formal accreditations have been awarded. Furthermore, the CMMC-AB has not released the finalized the process for Level 3 or Level 5 certification. Therefore, CMMC audits have not begun yet.



 

Although the CMMC is still in development, there are only a few months before CMMC requirements are incorporated into RFPs, and only those certified can continue working with the DoD. Organizations should start preparing now for their accreditation audit, which includes finalizing compliance with NIST 800-171 requirements. And while questions about the CMMC will remain until it is fully finalized and implemented, Focal Point will be there along the way to help guide your company through the process.

 


Want more cybersecurity insights in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.