Today, we announced our engagement with the Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE). As the industry leader in continuous discovery, device asset inventory visibility, and security of all connected devices, including unmanaged IoT, IoMT, and OT devices, Ordr will supply cybersecurity protection and resilience for the global defense industrial base (DIB) network of contractors, vendors, and suppliers.
This will help the DIB network of contractors, vendors, and suppliers prepare for their CMMC audit, reduce complexity, improve awareness, and accelerate the industry effort to secure the Federal “supply chain” by becoming more cyber resilient.
Who does CMMC apply to?
CMMC applies to ALL government contractors, primes and subs, who do business with the Department of Defense (DoD). This includes more than 300,000 organizations that will need to be certified. Previously, federal contractors were allowed to self-certify. With the inception of CMMC in 2020, defense contractors must now achieve certification via an accredited 3rd-party auditor in order to be awarded a defense contract.
When does CMMC go into effect?
On November 30, 2020, the DFAR 252.204-7012 made cybersecurity hygiene foundational to all acquisitions. Provisionally trained CMMC assessors are active as this activates the supply performance risk system. Request for Proposals (RFPs) will now include CMMC requirements of their contractors.
Why is CMMC being implemented?
Prior to CMMC, cyber security measures have failed to protect the United States supply chain. The NIST SP 800-171 security standard relies on organizations to self-assess their security posture and then report their compliance. Often self-assessment often is not top priority and does not offer any safe-guards to verify supply chain integrity. Compliance does not equal security, but financially motivated compliance can offer cybersecurity hygiene and corporate process. CMMC will serve as a verification tool to ensure appropriate cybersecurity practices are in place for the DIB network of contractors, vendors, and suppliers.
How do I achieve CMMC compliance?
All defense contractors are required to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule their CMMC audit. These auditors will review the contractor’s security processes and practices. Based on the security controls in place and the contractor’s ability to demonstrate organizational and operational maturity, the contractor will be awarded a CMMC certification from Level 1 to Level 5 with a multitude of Practices (AKA Controls) in each level. CMMC will require companies to have the certification to match the level required on the solicitation prior to be awarded the contract.
What is Controlled Unclassified Information (CUI) data?
The DoD defines Controlled Unclassified Information (CUI) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Additional information on CUI is available in the DoD CUI memo and the National Archives and Records Administration’s CUI Registry. If your organization possesses CUI, you will likely need to achieve CMMC Level 3.
My Organization is a subcontractor on DoD contracts, do I need CMMC compliance?
Yes, CMMC applies to subcontractors. The level of certification your organization will need will depend upon the type and nature of the information you receive from the prime contractor.
Does my organization need one level of CMMC certification or can areas of our organization be certified at different CMMC levels?
According to the DoD, “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.” Organizations can choose to achieve a base level of CMMC for their entire organization and be certified at higher levels for certain enclaves as contracts require.