Cybersecurity Maturity Model Certification: What does it mean to your business?

Subscribe to Our Blog

Modern cybercrime needs a current solution, and your IT plan is the cornerstone. As a technology solution and services provider in the DC, Northern Virginia, and Maryland regions, MainSpring secures clients' communication and data in both the public and private sectors.

This blog is about the Cybersecurity Maturity Model Certification (CMMC) and the Department of Defense but keep reading if you work within the private sector. You will also find this blog helpful, especially if you plan to bid your services to the Defense Department (or possibly any federal government agency).

Department of Defense contract requirement

In early 2020, the Department of Defense first told us about the new enhanced CMMC requirements for all contractors bidding on defense contracts.

“…Cybersecurity risks threaten the defense industry and the national security of the U.S. government, as well as its allies and partners. About $600 billion, or 1% of the global gross domestic product, is lost through cyber theft each year.”Ellen M Lord, Pentagon Press Conference.

The year 2020 was a challenging year for all businesses, including government contractors. So, we will not be surprised if you missed essential announcements about CMMC. But, you should know that all Department of Defense bids will contain a certification clause by the year 2026.

(It is important to note that as I am writing this blog, Congress has put a pause on the CMMC.  After a review, the industry and the Department of Defense feel that the program will move forward. You can read about the Congressional Review HERE)

If you are a defense contractor or you plan to bid on your services in the future, now is the time to ensure that your organization meets the criteria to become certified.

Where does your company stand?

The CMMC provides five levels of cybersecurity processes certification. In the future, requests for bids will include the level of cybersecurity process certification required to qualify as a contracted services provider.

Not all contractors have to nor need to reach higher levels. Presently, an organization’s SPRS score demonstrates a company’s security standing and is used by prime contractors and the federal government as a measure of readiness. Your organization’s income and growth are on the line.

To provide a quick overview of the five levels of certification, here is a snapshot:

  • Level 1: Basic Cyber Hygiene (17 practices)
  • Level 2: Intermediate Cyber Hygiene (72 practices)
  • Level 3: Good Cyber Hygiene (130 practices)
  • Level 4: Proactive (156 practices)
  • Level 5: Advanced/Progressive (171 practices)

You may already be wondering about the criteria included in the 171 practices. As a guide, NIST has released Handbook 162, or a cybersecurity self-assessment guide. You can find the handbook here.

CMMC Level One basics

Over the past year, MainSpring has written blogs about the importance of cybersecurity hygiene. Here is a selection from our library:

I point out the specific blogs from our library as a starting point. If you followed the tasks outlined in the blogs, your organization would be well on its way to becoming certified as a CMMC 1 or 2.

Of course, suppose your desire is to remain or become a Prime Contractor. In that case, your goal is to have your organization certified higher on the scale.

Where does your company stand? Now is the time to find out. To dig deeper into the five levels of certification and the process to prepare for CMMC certification, I spoke to a member of the MainSpring vCIO team.

Behind the scenes of CMMC certification

By now, you may have a long list of questions. No doubt, any new requirement that impacts business leads to questions. The CMMC certification will include an evaluation by third-party assessment organizations or C3PAOs.

How do you get ready for the CMMC evaluation? Is the 170-page NIST handbook an adequate prep guide? What if our organization receives a low initial score? These are just a few of the questions that MainSpring has received from clients.

To prepare defense contractors for CMMC third-party review, MainSpring offers an intensive cybersecurity review protocol. I spoke to Jeremy Kaikko, MainSpring vCIO, about our CMMC pre-evaluation procedure.

Ray Steen: Reviewing the NIST handbook may not be adequate preparation for a CMMC certification review. Tell us about the cornerstone of the MainSpring CMMC review program.

Jeremy Kaikko: The vast majority of self-attested NIST audits we generally find have very loose or liberal interpretations of the audit points that will lead many clients to find themselves falling short of the requirements and will leave them with a lot of work to do when CMMC requires a 3rd party attestation of their security posture. MainSpring follows a set of controls to ensure that an accurate reflection of the environment exists which will leave the clients with little surprises when the CMMC audit is performed.

RS: Here are a few questions that MainSpring has received in the past year. If a contractor receives a low certification score, what are their options for improvement? May a contractor submit a request for a second review? (This is geared toward the interim attestation of SPRS (the stopgap between self-assessment and CMMC)

JK: A score is given based on the outcome of the audit, along with a POA&M that designates how and when those shortfalls should be addressed. Once initiatives from the POA&M are completed, the assessment can be updated to reflect a new score.

Is CMMC just for defense contractors?

Suppose your business is in the DMV region or you are a federal agency contractor. In that case, you may be reading this blog and asking yourself, "Is CMMC just for defense contractors?" That is an excellent question, and indeed the answer will impact future business opportunities.

The goal of the CMMC is to ensure that modern cybersecurity needs are met with the current policy by all contractors. It is also a mechanism to level the playing field during the bid process.  You may have already guessed; other federal government agencies are closely watching the roll-out of CMMC.

But, cybersecurity is not just for government contractors. Now is the time for all organizations to review security protocols. It is time for a cybersecurity check-up. And suppose your organization decides to offer your services to a government agency. In that case, you will be a few steps closer to CMMC certification.