Optiv’s CMMC Capabilities
Our experienced team can help you navigate your Cybersecurity Maturity Model Certification (CMMC) journey across all aspects of people, processes and technology.
CMMC: More than a controls audit.
At Optiv, we think about the Cybersecurity Maturity Model Certification (CMMC) differently. Most organizations view this as another compliance check-the-box requirement, not realizing the impact CMMC can have on their entire company if implemented in a silo.
This is more than a compliance audit; it’s a new way of doing business with the Federal Government. Without a certification at one of five maturity levels, an existing or potential defense contractor will not be able to view nor bid on new contracts once CMMC is fully implemented. This, along with new interim requirements going into effect November 30, 2020, means the Defense Industrial Base (DIB) must prove compliance through a CMMC Independent Third-Party Auditor (C3PAO) or risk losing any future business with the DOD.
Meeting CMMC requirements without slowing down your business isn’t easy. That’s why Optiv is here to help you think through a fully integrated federal business strategy. In addition to process and practice requirements, we guide you through your business growth, regulatory compliance, contract compliance, and operational needs to design a sustainably compliant and scalable solution.
The Basics of CMMC
The roll-out of CMMC means significant changes are coming to the DOD supply chain starting in 2021. As a measure to protect sensitive information, CMMC is designed to verify and provide DOD the assurance that a Defense Industrial Base (DIB) Contractor can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Contractors will be required to meet one of five maturity levels of data security maturity – ranging from basic hygiene to “State-of-the-Art” – to have bidding opportunities for future work with the DOD. To achieve these levels, contractors must certify with independent, third-party auditors. Without that certification, contractors will not be able to view contracts they aren’t certified for, let alone bid on them.
While You Wait for CMMC
To reduce risk as CMMC is rolled out, the DOD has implemented several interim rules on the Federal Register that requires the DIB to meet certain requirements by November 30, 2020.
So, what do you need to do?
- Use the NIST SP 800-171 DoD Assessment Methodology to prepare a NIST SP 800-171 Assessment Score for submission to the Supplier Performance Risk System (SPRS)
- Provide the government with access to your facilities and systems for Medium and High NIST SP 800-171 assessments - DFARS 252.204-7020
- Obtain the required CMMC level at time of award via a C3PAO and maintain the certificate for the duration of the contract – DFARS 252.204-7021
What are the CMMC Maturity Levels?
CMMC maturity levels serve to measure your organization’s process maturity or process institutionalization. Tasks and activities should be, to an extent, embedded or ingrained in the operations of the organization. The CMMC model consists of practices and processes that map across the five levels for all capabilities and domains.
Each of these five maturity levels consists of a set of processes ranging from ‘Performed’ to ‘Optimizing,’ and the practices range from ‘Basic Cyber Hygiene’ to ’Advanced/Progressive.’ Based on your supply chain, business goals, and current capabilities, you may need a strategy and operating plan for each level to run your Federal business successfully.
As you can see, CMMC is far bigger than “checking a compliance box.” Having non-compliance discovered in a required audit means fines and even losing your DOD business entirely.
Seems Like a Big Deal. Is It?
We know this seems like an awful lot of work and, depending on your organization, it might be. Here are some things to consider as you discuss these changes with your team and your leaders.
Do I really need more than a controls assessment?
Yes. Without a fully integrated federal business strategy and a clearly delineated system security boundary, your entire business could come to a halt due to a government audit. Growth, scalability, backend business support, and other similar elements should all be considered upfront, too, so you build a sustainably compliant model from the start.
Why should I care if I am non-compliant?
- Contract termination: If your organization is found to be non-compliant, its contract will be terminated. Plain and simple.
- Breach of Contract Lawsuits: Legal action by the government could be taken due to surrounding negligence for not maintaining contract and regulatory requirements
- Fines: The Federal Trade Commission (FTC) has the authority to investigate, and fine companies that are found to not be meeting the stated requirements
- Loss of Future Revenue: Non-compliance could lead to permanent exclusion or temporary suspension from participating in some or all federal contracts in the future
General David H. Petraeus, USA (Ret.)
Partner, KKR
Chairman, KKR Global Institute
Optiv Board of Directors
“U.S. businesses are experiencing a dramatic escalation of threats in cyberspace – from nation states, criminal organizations, extremists, company insiders, and hactivists – and the threats have been growing in sophistication, as well.
Moreover, all of this has come at a time of transformation in how businesses operate as a result of the measures taken to reduce the spread of the global pandemic. The combination of increased threats and new vulnerabilities has made cybersecurity ever more difficult.
Nowhere is the substantial increase in the quantity and quality of threats in cyberspace more important than in the companies that are part of the supply chain of the Defense Industrial Base; indeed, cybersecurity shortcomings in those companies can result in serious damage to federal operations and compromise our national security.
American firms must upgrade their cyber defenses, and Optiv is determined to provide American companies with the most effective and most efficient comprehensive, integrated, managed cybersecurity solution possible.”
Contracts with DOD require deep knowledge
Get it right the first time.
As an information security leader, you are challenged by evolving information security requirements and the threat of intrusion and data leakage – now more than ever. And, as a DOD Contractor, you are ultimately responsible for addressing the risks specific to your environment and furnishing adequate security.
Yet you face these challenges:
Insufficient Resources
Compliance can be time-intensive and technology capabilities can be cumbersome (E.g., monitoring the network, penetration testing, etc.). Federal contractors frequently do not have the resources to comply with CMMC requirements.
Lack of Formalization
Over 60% of the effort to comply with CMMC Level 3 requirements are based on formalization and documentation aspects (E.g., policies, procedures and resourcing plans). Getting the support and resources to focus on the time-intensive task of documenting how requirements will be met and by who, rather than the technology capabilities carrying these processes out, is not always easy.
Inadequate Training and Awareness
Often, federal security requirements are new to your internal stakeholders. Key contractors need to understand the requirements they must abide by and their importance to national security.
Optiv understands the challenges faced by Federal Contractors and has an established team of cybersecurity professionals experienced in national security, compliance, and security program transformation who are ready to help commercial entities achieve CMMC compliance.
Contact us, and we can:
Advise and collaboratively strategize on an approach that works for your business. We can develop an overarching federal business and CUI protection strategy, leveraging your existing resources to protect your current and potential revenue.
Implement a federal business and CUI protection strategy which may include organizational design, governance, processes and a compliant and scaleable technology stack to successfully adhere to CMMC requirements.
Operate and continuously monitor your federal business environment, designed to protect sensitive data. Unique opportunities and compliance needs are evolving, and your business needs to be prepared for recurring audits and a dynamic landscape.