Person reaching over a table with notebooks and folders to hand off a clipboard to another person.

Going Beyond Trust

New CMMC framework requires organizations to be assessed by an independent third-party before certification is issued.

Starting this year (2021), Cybersecurity Maturity Model Certification (CMMC) compliance is required for organizations supporting or feeding into the Defense Industrial Base (DIB). DIB organizations previously self-assessed their compliance with NIST 800-171, but DIB officials state that self-certification is not working. Cyberattacks are successful because organizations have not fully secured their networks. The new CMMC framework removes trust and requires an assessment or audit be performed by an independent third-party. CMMC Certification is issued upon successfully passing the audit.    

Requests for Proposals (RFPs) will gradually mandate CMMC Certification as a prerequisite to enter the Department of Defense (DoD) bidding process. CMMC requirements will be implemented in all new DoD contracts starting in FY 2026. Based on the DoD contract’s information sensitivity, RFPs will point to a specific maturity level prior to contract award. 

There are five maturity levels composed of practices and processes. Certification to Maturity Level 1 is required for safeguarding Federal Contract Information (FCI). Most DoD contracts require compliance to Level 1. Fewer contracts require certification to Maturity Level 3, a requirement for protecting Controlled Unclassified Information (CUI). Less than one percent of RFPs are projected to require Maturity Level 4 or 5 certification.

  • Level 1: Safeguard FCI
  • Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI
  • Level 3: Protect CUI
  • Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
    Maturity Levels

The CMMC-Accreditation Body (CMMC-AB) manages CMMC for the Department of Defense. As a Registered Provider Organization (RPO), Concord has been qualified and designated by CMMC-AB to help organizations prepare for CMMC Certification.

CMMC represents a new way of doing business with DoD. CMMC Certification is pass/fail and all requirements must be met. With compliance quickly approaching, Concord recommends DoD contractors start preparing for CMMC Certification. RPOs, such as Concord, are uniquely positioned to help.

Tasks

 

Back to Blog

Related Articles

How to Build Your Data Governance Strategy

Here are the five key steps to take when creating a data governance framework in your organization.

Customer Retention in the Insurance Industry: Listening to the Healthcare Data

The significance of member and customer retention in the insurance industry cannot be overstated,...

Make or Break – Why Implementation QA in A/B Testing Matters

Wondering about the effectiveness of your A/B testing? Might be time to check out your QA protocol.