In order to protect their supply chain and its sensitive data, the United States Department of Defense (DoD) developed a cybersecurity standard, the Cybersecurity Maturity Model Certification (CMMC). The original version has been updated to CMMC 2.0, which replaced the original requirements.
While it will take years to completely implement the CMMC standard, contracts are subject to an interim rule that requires contractors to prove they have implemented the 110 cybersecurity controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
To qualify for a contract bid, organizations must achieve CMMC certification for one of the standard’s three levels. Businesses are not allowed to bid on defense contracts beyond their certification level. The three levels build on one another.
Organizations Seeking Certification (OSC) select the level they wish to attain, based on the type of contract they expect to bid on. Once certified, they can bid on contracts up to their level of certification. A higher-level contract may allow for a lower level of CMMC certification for subcontractors, depending on the sensitivity of information that flows down to the subcontractor.
CMMC certification will be effective for three years. Prime contractors and the DoD may audit CMMC-certified businesses at any time, meaning they must produce documented proof of consistent implementation of all the CMMC controls up to the level of a client’s certification.
In addition to the self-assessment, contractors will need to create a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M). The SSP is a comprehensive summary of all security policies and procedures to help keep data secure if a contract is awarded. The POA&M identifies each task that needs to be completed in order to implement a missing control, including resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
If a business fails to achieve CMMC certification, it will not be permitted to bid on defense contracts. Failing to maintain a certification can also result in the loss of government contracts, breach of contract lawsuits, potential violations of the federal False Claims Act, and banishment from future contracts.
Defense contractors need managed and advanced security to ensure consistent implementation of CMMC practices. Compliance Manager GRC is a valuable tool that allows you to do just that. The hosted, role-based, solution includes a built-in workflow automation engine that helps you comply with the immediate Interim Rule while preparing for CMMC at the same time. A variety of reports are automatically created, including those required for compliance with the NIST SP 800-171 Interim Rule. It also generates a full security risk assessment and management plan to remediate any discovered issues.
With continuous monitoring and documentation, Compliance Manager GRC helps you maintain adherence to CMMC 2.0 and preserves a healthy audit posture.
Want to find out more about Compliance Manager GRC and how it can help you manage CMMC 2.0 compliance, as well as many other mandated regulations? Request a demo of Compliance Manager GRC today.