Gray Analytics Named an Authorized C3PAO
February 13, 2024Your Top 3 Concerns for Cybersecurity Compliance
April 9, 2024Cyber incidents experienced by the U.S. Department of Defense since 2015
The U.S. Department of Defense (DoD) and its partners comprising the Defense Industrial Base (DIB) are targets of cyberattacks that are increasing in severity – and include cyberattacks sponsored by nation states.
To combat cyberattack risks, the DoD introduced Cybersecurity Maturity Model Certification (CMMC) requiring DIB contractors – who control almost 90% of critical U.S. networks – to meet specific levels of cybersecurity protection based on the sensitivity of information they handle.
CMMC helps ensure the more than 100,000 contractors in the DIB have appropriate cyber protections and resilience. Otherwise, DIB contractors may no longer contribute to the U.S. national defense.
What does CMMC Certification Require?
The DoD maintains many published standards, often through the U.S. National Institute of Standards and Technology (NIST), that outline detailed cybersecurity compliance measures. CMMC organizes those standards into three levels of cybersecurity preparedness. Organizations who are a part of the DIB must achieve and maintain one of CMMC’s three levels of cyber preparedness, as specified by the requirements of the contracts they are bidding upon.
For example, here is a snapshot of the cybersecurity control areas addressed by CMMC Level 1:
- Access Control
- Identification and Authentication
- Media Protection
- Physical and Environmental
- Protection
- System and Communications Protection
- System and Information Integrity
CMMC Timeline
January 31, 2020CMMC first released
CMMC was first released to the public as CMMC 1.0November 2021CMMC 2.0 announced
The DoD announced that CMMC 1.0 would be superseded by CMMC 2.0December 2023CMMC 2.0 details revealed
CMMC 2.0 emerged from the rulemaking process2024CMMC implementation begins
Implementation for DIB contractors and subcontractors begins2025Compliance expected to be completed
Compliance by all DIB contractors and subcontractors is expected to be completed
Becoming CMMC Compliant for Federal Contractors
The CMMC 2.0 framework requires:
- Making CMMC a contractual obligation for each DIB contractor. Their ability to continue to conduct business with the DoD is contingent upon successful CMMC compliance.
- Every contractor must achieve and maintain certification for the level of cyber protection in CMMC specified in their contract(s). Level 1 certification requires an annual self assessment. Level 2 and 3 certifications require higher levels of affirmation.
If your organization is currently a Department of Defense contractor, your contract with the DoD will be updated to reflect your assigned level of CMMC 2.0 during 2024. Your organization must meet and maintain compliance under the assigned level of CMMC at all times.
CMMC for Non-federal Contractors
How are you currently ensuring cybersecurity readiness and resilience for your operations today? While the needs of individual organizations vary, CMMC may be a good way to do so. It includes comprehensive, well-defined standards, tests, and implementation processes to make CMMC cybersecurity readiness an achievable goal.
Here are some key considerations to be evaluated:
1
Your organizational structure
2
The internal team in place today and any skills gaps that need to be addressed
3
External resources, such as consultants, temporary workers, and business partners
4
External cloud service providers
How Gray Analytics Can Help
For Federal Contractors
Gray Analytics helps you achieve your assigned level of CMMC compliance.
We are also qualified to assess federal contractors for CMMC compliance. Please note that CMMC consultations and assessments must be performed by different parties to avoid any potential conflict of interest.
For Non-Federal Contractors
For those companies seeking to improve their cybersecurity readiness and resilience, Gray Analytics can help.
We can help you adapt the appropriate level of CMMC compliance, securing your organization from unacceptable risks of cyberattacks.
We will begin the CMMC process with a conversation about cybersecurity readiness for your organization.