How to Get Certified to CMMC
On January 31, 2020, the United States Department of Defense (DOD) released the Cybersecurity Maturity Model Certification (CMMC) v1.0. Now the transition to the CMMC framework is officially underway.
Although delayed from the initial starting date of September 2020, the DOD will begin adding CMMC requirements to some requests for proposals (RFPs) in the second half of 2021. The new requirements will continue to roll out from 2021 through 2026, after which all companies doing business with the DOD will need CMMC. That means DOD contractors need to begin working towards certification as soon as possible so they can continue to compete on DOD contracts.
NQA has officially received our CMMC accreditation, which means we are qualified to act as your Certified Third Party Assessor Organization (C3PAO) on your path to becoming certified to CMMC. With a value-added auditor on your side, you can navigate these new requirements and boost your company's cybersecurity posture along the way. Now that it's officially possible for your organization to become certified to CMMC, we've broken down the steps to CMMC certification for companies in the Defense Industrial Base (DIB).
Step 1 — Achieve NIST 800-717 Conformity
While the CMMC standard is new, it's an evolution of many existing cybersecurity guidelines, including the National Institute of Standards and Technology (NIST) 800-717. CMMC does not replace NIST 800-717 and instead enhances these rules. Because there's considerable overlap, conforming to NIST 800-717 can prepare your business to become certified to CMMC Level 3. DOD contractors have been required to comply with NIST 800-717 since 2018, and CMMC essentially verifies that companies are complying with these guidelines.
Those who conform to CMMC Level 1 carry out 17 cybersecurity practices, covering about 15% of NIST 800-171 requirements. At CMMC Level 2, there are 72 required practices, which covers just over half of NIST 800-171. The 130 controls required at CMMC Level 3 encompass all NIST 800-171 requirements, plus 20 additional rules from several other cybersecurity standards.
Since a Level 3 CMMC certification is required for an organization to work with Controlled Unclassified Information (CUI), becoming NIST 800-171 compliant is an excellent first step for many organizations. There's no official certification process for NIST 800-171. Instead, organizations can use a self-assessment process to check that they fall in line with the rules. The DOD has also announced an interim rule requiring contractors to complete these self-assessments, and the government will conduct more in-depth assessments on particular vendors.
One of the reasons the DOD is transitioning to CMMC is because the NIST 800-171 guidelines are too vital. For our national security, we must verify organizations' compliance through an independent party. Also, CMMC translates NIST 800-171 into a tiered system, allowing organizations that do not deal with CUI to achieve a lower-level certification. Under this new system, the DOD can verify that organizations have appropriate levels of cybersecurity controls for the type of data they work with.
Starting from the beginning, an organization may require up to eight months to implement all the necessary rules from NIST 800-171. Organizations that already follow NIST guidelines should perform a gap analysis to ensure their internal practices would stand up to a rigorous third-party evaluation. NIST 800-171 has 14 major requirements, which are all needed at CMMC Level 3 and above. Some of the sections within each domain are also required at the lower levels. The NIST 800-171 cybersecurity families include:
- Access Control: These guidelines are concerned with authorizing certain users to view critical data and limiting access for others.
- Awareness and Training: Proper training and cybersecurity awareness can prevent many breaches, which is why NIST and CMMC specifically require them.
- Audit and Accountability: These rules ensure organizations can track authorized and unauthorized access and identify violators.
- Configuration Management: Companies must set up the system network and all security protocols effectively.
- Identification and Authentication: These rules surround verifying authorized users before granting access to CUI.
- Incident Response: These three guidelines ensure an adequate incident response procedure that's documented and regularly tested.
- Maintenance: Companies must create a sufficient timeline for regular maintenance and assign specific individuals to the task.
- Media Protection: These rules concern how hard copy and electronic data and backups are stored and who has access to them.
- Personnel Security: These guidelines ensure employees go through proper screening before gaining access to CUI.
- Physical Protection: These rules are about controlling physical access to hardware such as computer equipment and servers.
- Risk Assessment: These requirements ensure regular system defense testing and that individuals are regularly verified.
- Security Assessment: Every so often, organizations should check that their processes and procedures are still effective and make improvements as needed.
- System and Communications Protection: These requirements ask organizations to monitor and control information at critical transmission points, both internally and externally.
- System and Information Integrity: Finally, organizations must ensure they can quickly detect, identify and correct threats.
Step 2 — Prepare and Identify the Certification Level Required
The necessary certification preparations depend largely on your business. You may already work hard to ensure NIST 800-171 conformity. In that case, getting your CMMC certification will require incorporating a few other practices from other cybersecurity standards and initiating the certification process with an audit. Other organizations may need to implement a comprehensive cybersecurity system from scratch.
The first step in your preparations is to determine what CMMC Level, from 1 through 5, that you need to compete on your desired DOD contracts. DOD RFPs will specify the required CMMC level and will at first only request Levels 1-3. The maturity level you need to certify to will determine which standards you'll need to implement and ensure continued conformity to.
CMMC lays out five maturity levels to evaluate the level of sophistication a company's cybersecurity system has achieved. The higher levels are best for medium and large enterprises, while Levels 1-3 are usually sufficient for small-to-mid-sized businesses. The five maturity levels include:
Level 1 — Basic Cyber Hygiene
This is the foundational level of cybersecurity, which is required to safeguard federal contract information (FCI) rather than CUI. This level ensures that FCI does not get released to the public. It includes 17 basic practices as laid out in NIST 800-171, alongside some requirements from other standards. At this level, organizations must be able to perform all the required cybersecurity practices to safeguard FCI. It's ideal for small businesses that may not have the resources to implement advanced systems.
Level 2 — Intermediate Cyber Hygiene
This certification level is where the organization begins documenting its practices and policies. By providing this documentation, the correct procedures are repeatable across the organization. Level 2 is for organizations transitioning to Level 3. Organizations must incorporate 72 NIST 800-171 controls at this level, alongside some requirements from other cybersecurity standards. The goal is for the organization to begin preparing to handle CUI.
Level 3 — Good Cyber Hygiene
This is an ideal level that most organizations should aim for whenever possible. This level allows organizations to work with CUI, which opens the pathway to many DOD contracts. Since most DOD contracts will require CMMC Level 1-3, achieving this level gives small-to-medium businesses a high degree of accessibility to DOD contracts. If the contract has a Defense Federal Acquisition Regulation Supplement (DFARS) clause, CMMC Level 3 is required.
At Level 3, an organization begins managing its processes. That means it has a plan and the necessary resources for managing programs. The organization follows all NIST 800-171 controls, plus 20 additional practices from other standards.
Level 4 — Proactive
As the data involved becomes more sensitive, organizations must be wary of advanced persistent threats (APTs). At CMMC Level 4, an organization can defend CUI from APTs and cyberattacks. It's most appropriate for medium and larger organizations. This level introduces requirements to regularly review activities for their effectiveness, document these findings and notify upper management when any issues arise. At this level, organizations incorporate 26 advanced cyber hygiene practices from NIST 800-171B and a few other practices from other standards. In total, the organization must perform 156 cybersecurity practices.
Level 5 — Advanced/Progressive
Level 5 represents organizations with cybersecurity infrastructure at its peak maturity. It's best for larger organizations that must defend against APTs and have the resources to optimize their cybersecurity posture continually. Enterprises that have achieved CMMC Level 5 must improve and standardize process implementation across the organization. This level requires organizations to incorporate 15 more practices from NIST 800-171B and other standards for a total of 171 cyber hygiene practices.
Once you've determined the CMMC level you must certify your organization to, you can start other preparations. Some steps to take include:
- Determining which of your practices currently align with NIST 800-171 and other CMMC required practices.
- Performing a gap analysis to understand what you must do to bring your organization in line with the requirements.
- Budgeting for compliance with all the necessary controls at your desired certification level.
- Creating an action plan and timeline for becoming compliant.
For more information, visit our CMMC compliance guide to learn about some of the specific requirements you'll need to meet.
Step 3 — Audit and Work with Third-Party Assessors
Now that the CMMC Accreditation Body (CMMC-AB) has begun recognizing C3PAOs, organizations may officially start the auditing process. A C3PAO is an organization with an accreditation from the CMMC-AB that is authorized to conduct CMMC assessments. While you can run an internal audit to check that your organization performs all the required CMMC practices, you'll need a third-party verification from a C3PAO for certification. The C3PAO will submit their findings and recommendations to the CMMC-AB to determine if your organization conforms to your desired CMMC level.
The CMMC-AB recommends taking six months to prepare before the audit. If you're planning to compete for any upcoming DOD contracts requiring CMMC, you should start preparing now. As an accredited C3PAO, NQA is uniquely qualified to identify ways you can prepare. By requesting a gap analysis from NQA, you'll undergo a rigorous audit, similar to what you'll do when getting certified. The gap analysis will identify what you must do to become compliant with your desired CMMC maturity level.
When you're ready, you can also trust NQA to perform a value-added audit. That means that as we assess your organization for standard conformity, we'll also identify opportunities for improvement customized to your organization. Since regular reviews, maintenance and improvements are required at higher maturity levels, the right auditor can act as a valuable partner for your organization's cybersecurity.
The CMMC audit and assessment process follows four steps:
- Review the cybersecurity program: First, the assessor will contact the person responsible for your organization's cybersecurity. It might be someone in-house or a third party, depending on how your business handles its information technology (IT) infrastructure. The C3PAO will work with your cybersecurity manager to better understand your IT environment and how you store and transmit CUI.
- Review the controls: Next, the auditor will review the specific controls your company is following. They will double-check that all the controls listed in the CMMC at your chosen maturity level are in place. Specifically, they'll look at the measures your organization takes to detect, prevent, minimize and counteract cybersecurity threats.
- Verify that the controls are implemented: The third-party auditor will analyze each control to see that your organization has implemented it sufficiently. During this process, they may ask the personnel responsible for cybersecurity to explain how a specific function or control works within your organization.
- Issue an official audit report: When the audit is complete, your C3PAO will release an official audit report to your company and the CMMC-AB. The specific findings will remain confidential. Once you've earned your certification, it will be valid for three years.
At NQA, we match our customers with auditors experienced in your subsector and aligned with your culture. We have many assessors with experience in the DIB who can determine how to apply CMMC and other cybersecurity requirements to your unique organization.
FAQs about CMMC Certification
At NQA, we've been getting many questions about CMMC from our clients in the DIB. Here are some of the most common:
1. What is the Goal of CMMC?
As the standard rolls out, many DIB companies are wondering why CMMC is replacing other cybersecurity standards. The CMMC standard unifies several related standards and breaks them down into certification levels. This makes the requirements scalable to the many companies involved in the DIB.
That means smaller operations working with less critical data will not need to certify to the same level as an enterprise dealing with highly sensitive information. CMMC also introduces a certification requirement, which allows the DOD to verify that the companies they work with use suitable cybersecurity practices.
2. How do I get Certified to CMMC?
After following the steps required to comply with CMMC standards, look for an Authorized or Accredited C3PAO from the CMMC-AB's website. You'll work with your C3PAO to coordinate the assessments and make contractual agreements. After a successful audit that yields no deficiencies, the C3PAO will provide an assessment report and issue your valid CMMC certificate.
3. How Much Does it Cost?
The cost of CMMC certification can depend on many factors, and since the process is so new, the pricing structure isn't set in stone yet. Nevertheless, the DOD estimates that a three-year Level 1 certification could cost about $3,000 per company. Certifying to a higher level will cost more.
The DOD considers CMMC an allowable expense, meaning you can bill your certification costs back to the DOD under your contract. Other direct certification costs may include the cost of your audit, which can vary. If you pass the first audit, you won't have to pay for a second one, which brings down the cost.
4. What are the Indirect Costs of Certification?
Besides the cost for the audit and certification itself, consider how closely aligned you are with the CMMC standards. If you're already following NIST 800-171, you won't have too much to do to comply with CMMC. However, if you must meet CMMC standards from scratch, it will take more time and investments to catch up.
5. What is the Timeline?
Most estimates say a reasonable CMMC certification timeline is about six months. The first DOD contracts requiring CMMC are slated for 2021. During the first year of the rollout, 15 new Prime contractors will be required to meet CMMC and flow down CMMC requirements to all their subcontractors. By the end of the five-year rollout in 2025, 475 new Prime contractors will need to meet CMMC requirements.
6. Who will Audit for CMMC?
The CMMC-AB authorizes Certified Third-Party Assessor Organizations to conduct audits and recommend the requesting organization for certification. Those C3PAOs will assign Authorized or Certified CMMC assessors to audit their clients. While companies can conduct an internal audit prior to the certification audit, they cannot self-certify based on the results of their internal audit. You can also reach out to NQA, an Accredited CMMC C3PAO, to get started.
7. Who can Certify to CMMC?
Currently, only DOD contractors must become certified to CMMC. Any organization in the DIB can start the certification process. DOD subcontractors also need to become certified if the Prime contractor has a CMMC requirement, and the level depends on the type of information flowed down to the subcontractors. If your organization possesses FCI and does not handle CUI, you must meet at least CMMC Level 1.
8. Who Must Certify to CMMC?
All DOD contractors must certify to CMMC to compete on DOD contracts with CMMC requirements. Once CMMC completes its rollout, all DOD contractors and subcontractors must maintain a minimum of CMMC Level 1, depending on the information they handle.
9. What are the CMMC Levels?
There are five maturity levels in CMMC. Level 1 is known as Basic Cyber Hygiene. Level 2 is Intermediate Cyber Hygiene, while Level 3 is Good Cyber Hygiene. Level 4 is considered proactive, while Level 5, the most sophisticated, is Advanced/Progressive.
10. How Long is CMMC Certification Valid?
Generally, CMMC certificates are valid for three years. After that, organizations will need to be reassessed by a C3PAO to renew the certification.
11. Will my Company's CMMC Level be Public?
Upon successful certification, your C3PAO submits your assessment report and a copy of your certificate to the DOD. However, the results of your CMMC assessment and your CMMC level will not be public information. The only publicly available information is that your organization possesses a valid CMMC certificate, with no level disclosed.
12. What is the CMMC-AB?
The CMMC Accreditation Body is the independent organization that authorizes and accredits C3PAOs, alongside the CMMC Assessors and Instructors Certification Organization (CAICO). Essentially the CMMC-AB is responsible for evaluating C3PAOs and their assessors to ensure they are impartial, thorough and understand the CMMC standards. The CMMC-AB must conform to ISO/IEC 17011, Conformity Assessment — Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies.
13. Is CMMC Certification Available?
Yes. Now that the CMMC-AB has officially issued accreditations to C3PAOs, there are organizations authorized to issue certifications to organizations conforming with CMMC. Until CMMC Levels 4 and 5 roll out, organizations may only obtain certification for CMMC Levels 1-3.
Start Preparing for CMMC Today
As an accredited CMMC C3PAO, NQA can be your partner on your road to CMMC certification. If you're just beginning the certification process, we recommend you start with a CMMC gap analysis. We determine what you need to do to align with the CMMC requirements and match you with a consultant to assist with implementation. When you're ready to become certified, contact NQA to request an audit and set yourself up to bid on future DOD contracts.