In mid-2020, the Department of Defense will begin enforcing provisions of the Cybersecurity Maturity Model Certification (CMMC) for all contractors, augmenting the NIST SP 800-171 recommendations that have been standard for governing protected information since the early 2000s. This change is already having major impacts on organizations working toward compliance. When the requirements begin appearing on contracts in June, it is expected that there will be immediate effects for the industries and companies that rely on government sales, even indirectly.
Not familiar with CMMC? Here’s a primer:
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is designed to combine best practices and standards from across the security industry, creating a uniform policy that reduces the risk of threats to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) – data that is protected from public disclosure but not necessarily access-restricted by law or regulation.
How will CMMC be implemented?
The implementation of CMMC includes standards for physical system access, operations and maintenance, documentation, and digital system access. A key difference between CMMC and earlier frameworks is the certification requirement: companies can no longer self-certify their compliance. An independent 3rd party must now audit the implementation. Additionally, subcontractors are also required to adhere to CMMC, even if they do not handle CUI directly.
Luckily for companies trying to navigate the often-muddy waters of government contracts, CMMC uses a tiered system. Not all companies need to apply the strictest standard, so there are five levels of compliance, ranging from “Basic Cyber Hygiene” to “Advanced/Progressive”.
The basic levels are designed to result in a uniform minimum level of protection, without being cost-prohibitive for most organizations. In some cases, the implementation may be eligible for reimbursement by the Department of Defense. Check for the CMMC certification required to bid in sections L & M of government RFPs.
According to the Council of Economic Advisors, it’s estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Cybersecurity is not only important for keeping federal contract information and data secure, but it’s also important for companies wanting to keep their own confidential data secure.
JetCo Federal has achieved Level 1 CMMC compliance and is working with our partners to become Level 2 certified. We have always believed in data security as a core component of managing complexity successfully, and that strong access and documentation protocols protect us as well as our customers. For our commercial clients, suppliers, and partners, this means that when we transmit, store, or manage their confidential data, it’s subject to those same restrictions and protection. For some organizations, the extra compliance might be frustrating, for JetCo Federal, it’s just another part of how we re-win our business every day.