The imminent rollout of the Cybersecurity Maturity Model Certification requirement is a hot topic across the Defense Industrial Base. Contractors across the country have been scrambling to figure out what exactly is going on. It's not hard to see why. The guidance on CMMC has changed several times, and many contractors felt that the framework was unfair and unnecessarily burdensome. As the situation continues to develop, many contractors are still unsure on whether or not they will be subjected to a CMMC audit.
Luckily, there is more information available than ever before. With the official rollout of CMMC expected in the next 18 months, a clearer picture of the accreditation system is beginning to develop. While CMMC will affect all contractors within the DIB, your firm's duty to submit to an audit will depend on the information you handle.
Sensitive Information
The first iteration of CMMC was criticized for not distinguishing between firms with no exposure to sensitive information. To rectify this, CMMC 2.0 has revised its audit system to correspond with a 3 tier security system. Before exploring the tiers themselves, it is important to understand the sensitive information at play. Your obligations under CMMC 2.0 will depend on your firm's relationship to High-Value Assets and Controlled Unclassified Information. To understand what you will need to do, you will need to understand which tier your firm falls under.
Under CMMC 2.0, the first tier is called Foundational. This tier refers to contractors who do not handle or transmit HVA or CUI. The second tier is called Advanced. To be considered to be Advanced, a contractor must deal with CUI but not HVA. Under the revised CMMC guidelines, the highest tier is called Expert. This category is reserved for firms that handle HVA and carry the highest verification burden. Assessing the nature of your business and determining the tier you fall under will tell you how you are expected to certify your cybersecurity systems.
Will I Be Audited?
Contractors who fall under the Foundational tier will not be required to submit to a third-party accreditation service. Instead, they will only need to complete an annual self-assessment of thier cybersecurity network. Firms that fall under the Advanced tier will generally be allowed to self-certify. However, this tier carries an exception. Advanced Tier contractors who handle CUI of particular interest to National security will be subject to a CMMC audit. Finally, contractors who fall under the Expert tier will also be required to submit to an audit. However, the audit will likely not be performed by a third-party service. Details are still emerging, but Expert tier contractors should expect to be audited by a government agency.
CMMC Conclusion
The new CMMC guidelines from the Department of Defense are more efficient and less burdensome. While the third-party certification requirements have been loosened, you will still be expected to keep your cybersecurity systems in line with DFARS standards. As you prepare for the CMMC rollout, a consultation with a qualified compliance manager is one of the best things you can do.
