CMMC Compliance Deadline Fast-Approaching for DoD Contractors
A series of important CMMC deadlines are scheduled in the coming months. DoD contractors must either meet them or be left out of the supply chain altogether.
DoD Contractors Who Miss the Impending CMMC Compliance Deadline Will Be Left Behind
A series of important CMMC deadlines are scheduled in the coming months. DoD contractors must either meet them or be left out of the supply chain altogether.
CMMC Compliance Deadline Fast-Approaching
The federal government has routinely updated its cybersecurity expectations of the contractors it works within the private sector, and critical deadlines are drawing near to meet the latest standards.
In an effort to ramp up protection of sensitive data housed on networks of contractors and supply chain operations, the Department of Defense (DoD) issued new Cybersecurity Maturity Model Certification (CMMC) guidelines, and all businesses are required to meet the rigorous standards. This time around, failure to gain certification won’t result in a fine or suspension of work with the DoD. Organizations that fail to comply in advance will be left out of the loop entirely.
The Defense Acquisition Federal Regulation Supplement (DFARS) adopted the NIST SP 800-171 cybersecurity guidelines for private-sector outfits housing controlled unclassified information (CUI) on their networks. This effort to protect valuable data from rival nations and cybercriminals reportedly has more than 300,000 DoD contractors and supply chain companies scrambling to comprehend the NIST SP 800-171 and bring their systems into compliance before it’s too late.
What You Need To Know About CMMC Compliance
There are three distinct challenges facing outfits that enjoy lucrative DoD contract work. The first entails understanding which of the five levels of cybersecurity hygiene you are required to meet. That may not be the most straightforward task for outfits that participate in different contracts. While the Level 1-5 designation will be published and listed on your agreement, this puts organizations in the unenviable position of not necessarily being prepared to bid on future work at your current compliance level.
The second demand will be understanding how to achieve requisite cyber hygiene and implement the mandated measures to insulate your CUI from cyber-theft. These can be rigorous and may exceed the technical expertise of in-house IT technicians. The third hurdle will be scheduling a third-party audit to gain proof positive you are in compliance before the deadlines hit. These include the following.
- January 2020: Official CMMC requirements have already been released.
- February-May 2020: The first round of CMMC assessors will be trained to review private-sector networks and approve or deny certification.
- June-September 2020: Audits are expected to begin, and DoD contractors, as well as supply chain organizations, must meet the CMMC standards in order to bid on future DoD contracts.
- October 2020: Contractors will be required to have earned CMMC compliance and passed a third-party audit.
As decision-makers can plainly see, the CMMC process is already underway. Given the hundreds of thousands of operations are moving swiftly to understand, meet their required level, and schedule a third-party audit will inevitably result in a backlog of work for cybersecurity professionals in this niche area.
How to Meet the CMMC Standards
Earning CMMC compliance requires an organization to conduct a full review of its current cyber health, best practices, and level of deterrence to emerging threats. That assessment must be weighed against the level of cybersecurity you are expected to meet and, perhaps, be prepared to make competitive bids that come with more stringent compliance. These are the fundamentals of the five levels.
- Level 1: Considered only “Basic Hygiene,” many supply chain outfits will only need minor upgrades or re-certification.
- Level 2: Generally understood as “Intermediate Cyber Hygiene,” a successful audit calls for meeting upwards of 55 control standards.
- Level 3: Also known as “Good Cyber Hygiene,” outfits can anticipate a minimum of 59 stringent controls.
- Level 4: Widely viewed as “Proactive,” this level requires active safeguards that can respond to the potential incursions.
- Level 5: Often called “Advanced or Progressive,” this cybersecurity threshold calls for 24-7 response to known and emerging threats.
It would be something of an understatement to say that many companies are already behind in terms of meeting the standards and securing third-party certification. The process has already begun, and proactive industry leaders are outsourcing this facet of their operations to get ahead of the curve. The longer any decision-maker in the DoD supply chain procrastinates, the higher the risk of losing profit-driving government work.
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.
About SSE
SSE is a certified Women-Owned Small Business with over 30 years of experience in both the technology and training industries, serving commercial and government markets.
