To address the continued rise of data breaches and other cybersecurity attacks on our federal government, the Department of Defense (DoD) has spent the past several years working to improve security for the defense industrial base.
In January 2020, the DoD launched a new cybersecurity standard called the Cybersecurity Maturity Model Certification (CMMC) program, building upon the existing standard in the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks. In its final form, the CMMC intends to combine various cybersecurity control standards into one unified standard for cybersecurity. In addition to evaluating specific control standards, the program will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
What does this mean for defense contractors? The new certification program increases visibility and accountability across the board, and although CMMC is being gradually phased in over the next five years beginning fiscal year 2021, many defense contractors will be required to be audited and certified by a third-party auditor (C3PAO) by 2026. The CMMC is a “go/no-go” qualification; in other words, the certification will determine whether DoD contract can be awarded.
How To Prepare for CMMC Certification
As a defense contractor, you may already be working on a plan to gain certification—and if not, time is of the essence. CMMC certification will set your company apart in the marketplace and place you at an advantage as CMMC requirements are phased into contracts. When it comes to obtaining defense contracts, partial CMMC compliance will not be accepted.
If your organization lacks the resources to prepare for CMMC certification, or if those resources are focused elsewhere, our Advisory team can assist with CMMC readiness by charting a path to full certification.
How Brown Smith Wallace Can Help
Our IT Advisory team offers Readiness Services for defense contractors to prepare for CMMC certification. In short, we can:
- Identify required CMMC and FAR/DFARS obligations relevant to contracted services
- Develop a timeline for gaining required certifications
- Identify Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to develop or review data flow between contractor, government entities and/or other involved parties
- Perform a Gap Assessment of people, processes and technology against CMMC or NIST SP800-171 controls
- Document a Site Security Plan (SSP) and Plan of Action and Milestones (POAM)
- Document a POAM (remediation plan) and monitor implementation progress
- Perform a Pre-Assessment for CMMC
Our IT Advisory Expertise
The Brown Smith Wallace team of strategic business advisors are focused on helping public, private and governmental organizations adjust to new regulations, such as the new CMMC program. Our IT Advisory team has a thorough understanding of cybersecurity frameworks and control assessments including NIST, SOC 2, PCI and HITRUST.
Additional IT Advisory Services
Beyond regulatory compliance, our IT Advisory team can empower companies to improve their overall approach to data privacy through the following services:
- Security Risk Assessment
- Penetration Testing
- Internal Vulnerability Assessment
- Email Phishing and Social Engineering
- Cybersecurity Control Assessment
- PCI DSS Compliance
- Network Architecture Review
- Wireless Security Testing
- Incident Response Plan Assessment
- Secure Code Practice Assessment
- Defensive Security Consulting
Discuss Your CMMC Readiness Today
We advise that you get ahead of the curve and begin the certification process before the requirement comes into effect for your specific contract. Contact Greg Smith, Partner, Advisory Services at firstname.lastname@example.org, 314.983.1306 or Robert Hof, Consulting Manager, Advisory Services at email@example.com, 314.687.2382 for more information about CMMC readiness.