Doing business with the U.S. Department of Defense (DoD) in the cyber realm is essential to national security. So is mitigating risk across the Defense Industrial Base (DIB), fueled by a vast supply chain and contractor support infrastructure.
To counter digital risks, the DoD established the Cybersecurity Maturity Model Certification (CMMC). It is one of the largest and most significant efforts underway to ensure cybersecurity and standards conformance.
Every company (and its subcontractors) bidding on a DoD contract that contains Controlled Unclassified Information (CUI) and/or Federal Contract Information (FCI) will be required to be CMMC compliant, starting in 2023. It’s a long process, made easier with advisory services on the path forward.
Here’s the low-down on The Cyber AB which oversees cybersecurity conformance, and how to proceed with confidence toward contractor compliance now.
Meet the Cyber-AB, the Sole CMMC Authority
The only channel for certification in the CMCC ecosystem is The Cyber AB. Founded in January 2020 as The CMMC Accreditation Body, Inc., The Cyber AB is a Maryland-based, nonprofit, 501(c)(3) tax-exempt organization and the exclusive authorized partner of the DoD managing and implementing CMMC. The Cyber AB was formerly known as the CMMC Accreditation Body.
CMMC builds on existing trust-based regulations (DFARS 252.204-7012) by adding a verification component for DoD contractors to meet explicit cybersecurity requirements. These requirements and the CMMC Framework were the collaborative outcome of DoD, DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry.
According to The Cyber AB, the CMMC Framework combines various cybersecurity standards and best practices, intended to:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
The Levels of CMMC Security
Last year, the CMMC program was updated to CMMC 2.0 which now maps to only three organizational maturity levels. The DoD is expected to rule on these changes by May 2023. Until then, DoD contractors and OSCs are expected to proceed as if these new levels are approved.
Level 1 – Foundational.
An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI).
Level 2 – Advanced.
An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.
Level 3 – Expert.
An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs), including data forensics.
For defense contractors waiting on the ruling, the Cyber AB (formerly the CMMC Accreditation Body) encourages voluntary CMMC security assessments. To help facilitate these assessments and ultimately, certification, they have released a draft document that spells out the detailed assessment process for third-party organizations to be certified by the CMMC program to help with advisory services.
What is a Cyber-AB RPO?
Within the CMMC hierarchy, achieving the right certification level is an arduous process. To help pave the way for Organizations Seeking Certification (OSCs), The Cyber AB prepares certain individuals and organizations to provide advisory services.
Individuals train and are tested against CMMC levels to be designated as a Registered Practitioner (RP) who can provide consultative services to help OSCs prepare for certification. They are either independent contractors or work with a Registered Practitioner Organization (RPO).
By employing RPs, RPOs may deliver non-certified advisory services to OSCs (but they cannot conduct a certified CMMC assessment).
The intensity for CMM Certification will continue to grow as the DoD deadline nears. RPOs who understand the CMMC framework and know how to prepare for implementation and eventual assessment can play a pivotal role in getting defense contractors into and through the certification gauntlet.
What is a C3PAO?
Some Registered Practitioners also pursue the rigorous path of becoming a Certified CMMC Assessor (CCA) or Certified CMMC Practitioner (CCP). At the enterprise level, a Certified Third Party Assessment Organization (C3PAO) employs CCAs and CCPs to conduct assessments of OSCs.
All C3PAOs must meet strict eligibility, authorization, and accreditation requirements established by the DoD and enforced by The Cyber AB.
The accreditation process is rigorous and conducted by a team of experienced, qualified professionals. Once a contractor achieves accreditation, it is for a set term with periodic renewals to verify standards are maintained.
Is the Cyber AB part of DoD?
The Cyber AB is an independent organization with a “no cost” DoD contract. Operating with full-time staff led by a Board of Directors, the Cyber AB serves the CMMC Program Management Office within DoD. Revenue comes from application and renewal fees from participants in the CMMC ecosystem. This ecosystem represents a large and diverse community of security and training professionals and more than 200,000 companies in the DIB—each has a role and responsibility toward cybersecurity compliance.
Conclusion
To prepare for your CMMC security assessment, contact DTS. We are an RPO and a small business contractor, giving us the unique insight of doing the work for ourselves and our clients.
DTS provides tailored, scalable cyber solutions for small and medium-sized organizations. We use top resources and the expertise of talented individuals with a passion for excellence to help protect our clients’ people and data.
Our approach is consultative and education oriented. You can feel confident that your DTS solution is strong, reliable, and helping to drive a culture of compliance. Choose DTS for security reviews and assessments, remediation, managed services, licenses, and fractional CIO services. Visit DTS website: Contact page to schedule a consultation call.
