How DoD Contractors Can Prepare for the CMMC

How Contractors for the Department of Defense Can Get Certified with the Cybersecurity Maturity Model Certification (CMMC)


Why Did the Department of Defense (DoD) Create the CMMC?

Anyone working for the DoD knows how much of an emphasis has been placed on cybersecurity in recent times.

Back in 2015, the DoD published the Defense Acquisition Federal Regulation Supplement (DFARS). This stipulated that all private contractors working for the DoD must abide by the standards of NIST SP 800-171 on cybersecurity.

The rationale behind DFARS is to better guard the nation’s defense supply chain against the threats posed by cyber attackers domestically and internationally.

DFARS has forced more than 300,000 private DoD contractors to adopt these new standards so they can comply with the current law.

A small number of contractors have become compliant using their own resources. Others have chosen third-party cybersecurity companies, like GRS Technology Solutions, to help them adopt NIST SP 800-171 cybersecurity standards.


Compliance has become so important that the DoD actively discriminates against private companies not possessing the necessary cybersecurity standards during contract awards procedures.

Yet despite the urgency whipped up by the DoD, thousands of contractors have yet to comply with the new standards. In fact, some contractors have even made false claims about their compliance.

To deal with this problem, the DoD has created the Cybersecurity Maturity Model Certification (CMMC). The CMMC is expected to guarantee the security standards of contractors and to better control the supply of controlled unclassified information (CUI).

Currently, the CMMC is in its early stages of development. DoD contractors need to be aware of the current status of CMMC, how it will impact them, and how they can prepare for potential CMMC audits in the future.

This GRS Technology Solutions guide will do all this and enable contractors to start the journey to becoming certified.

What Do You Need to Know About the CMMC Model?

The CMMC is what’s known as a verification component. It’s not a completely new standard but an evolution based on DFARS 252.204-7012.

These maturity levels will be used for RFP sections L/M to distinguish between contractors.

In the long-term, the DoD intends to utilize the CMMC with other cybersecurity standards. They want to combine standards like NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.

Additionally, the CMMC will serve as a benchmark for measuring how institutionalized a contractor’s cybersecurity standards are.

DoD Contractors – So What Does All of this Mean?

The CMMC is what’s known as a verification component. It’s not a completely new standard but an evolution based on DFARS 252.204-7012.

It’s up to DoD contractors to comply. The CMMC is merely the latest attempt to urge contractors to make their practices compliant with the current demands of the DoD.

So what do DoD contractors have to do?

Firstly, all DoD contractors must prepare to pass a CMMC audit if they want to continue supplying products and services to the DoD. An uncertified contractor will not be able to hold existing or acquire new contracts to work with the DoD going forward.

Not only that but DoD contractors will need to meet specific levels of cybersecurity, as outlined by the CMMC, which you can find out about below.

What Do We Know about the CMMC and CMMC Audits?

The DoD will use a number of third parties to carry out audits and verify the level of cybersecurity controls offered by contractors. These third parties will be responsible for measuring compliance and providing guidance on current levels of risk.

Audits carried out by certified DoD third party contractors will determine whether a contractor is awarded the CMMC.


GRS Technology Solutions sponsoring the Annual Review 2020 event at the MGM National Harbor

CMMC Timeline for 2020-2021

There are a myriad of activities, but the most impactful in 2020 and 2021 are shown in the following graphic.


How Can DoD Contractors Get CMMC Certified?

The only way to get CMMC certified is through an independent assessor. Contractors will need to work with them and schedule an audit.

Contractors should browse the different CMMC levels and specify to the auditor which level they need to continue to offer their services. The contractor will need to demonstrate they meet the appropriate level of cybersecurity to receive the CMMC.

Third party auditors will only become available from January 2020 onwards. It’s recommended to apply for an assessment early as a major backlog is expected.

About the Different CMMC Levels

Full guidance on the different CMMC levels is currently not available. The DoD is expected to release detailed information on the different levels in 2020. However, a limited amount of information has already been released.

Here’s what’s currently known about the levels of the CMMC and the requirements necessary to achieve them:

  • Level 1 - “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
  • Level 2 - “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement another 46 controls of NIST 800-171rev1.
  • Level 3 - “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement the final 47 controls of NIST 800-171 rev1
  • Level 4 - “Proactive” – In order to pass an audit for this level, the DoD contractor will need to implement 26 controls of NIST 800-171 RevB (still in the Public Comments stage)
  • Level 5 - “Advanced / Progressive” – In order to pass an audit for this level, the DoD contractor will need to implement the final 4 controls in NIST 800-171 RevB.

What Should DoD Contractors Do to Prepare for a CMMC Audit?

Different CMMC levels will require contractors to comply with different security controls, as outlined earlier in this guide.

Contractors who already have full NIST SP 800-171 controls shouldn’t experience any problems achieving at least a level 3 CMMC.

However, if this has yet to be achieved, there are a number of options for contractors as they prepare for a 2020 CMMC audit.

Outsourcing to a CMMC Consultant

For all but the largest of contractors, the appropriate course of action is to invest in outsourcing the process of getting the CMMC to a qualified third party. In particular, outsourcing to a Managed Security Service Provider (MSSP) will enable contractors to get the expertise required.

However, the responsibility ultimately remains with the contractor to meet the necessary cybersecurity standards. This is why contractors should think long and hard about which MSSP they decide to hire.

Although it may be tempting to do everything in-house, outsourcing the process to a qualified MSSP will likely save you both time and money.

Not only will they be able to pinpoint areas of weakness, but they will be aware of what auditors will be looking at. It’s the best way to prepare for an upcoming CMMC audit.

Implement NIST SP 800-171 Yourself

For contractors who possess the staff and resources, they may want to consider doing everything in-house.

Contractors can take advantage of the guidance presented in the Self Assessment Handbook – NIST Handbook 162. It’s a workbook compiled by the National Institute of Standards and Technology (NIST) to help DoD contractors.

Be aware that this workbook only includes information up to and including NIST SP 800-171 Rev. 1. It doesn’t include anything more than that, so contractors will only be able to get up to a level 3 certification using this.

For NIST SP 800-171 Rev. B things are more complex as there’s no authorized workbook available.

If a contractor doesn’t have the knowledge or the resources available to implement these cybersecurity controls alone, they should consider outsourcing these tasks to a CMMC consultant.

These consultants may even be able to provide an audit themselves, as well as supporting contractors in tightening up any areas of weakness.

Steps to CMMC Compliance

The first step is to perform a gap analysis, together with an MSSP. The point of a gap analysis is to deep dive into a contractor’s current cybersecurity standards and then compare them to what’s necessary to achieve the desired CMMC level.

A gap analysis will discover which systems and processes are inadequate. An MSSP will also highlight what may be appropriate but what may also be flagged by a CMMC auditor.

Some of the most common issues a gap analysis may flag include:

  • Information systems access.
  • Staff training.
  • Data record storage.
  • The implementation of cybersecurity controls.
  • Incident response development and implementation.

A gap analysis is the foundation of any journey towards CMMC implementation. Without it, contractors will find it impossible to figure out what changes they need to make to achieve compliance.

Following a gap analysis, the next step is to create a remediation plan. This will be based on the conclusions of the gap analysis.

Despite the grand sounding name, remediation plans may involve small, simple changes to fix any processes/systems within the company. However, sometimes they may include complete foundational changes. It depends entirely on the contractor’s gap analysis.

Outsourcing the CMMC process will also give contractors the benefit of a professional MSSP who can guide them towards success.

Step three begins after contactors implement the guidance found within the remediation plan.

A qualified MSSP will utilize a variety of tools to continually monitor new systems/processes. They will be able to detect any breaches within these systems and provide detailed reports.

The key to CMMC is not to meet CMMC requirements but to prove compliance should an audit take place.

After complying with the necessary security standards, an MSSP is able to produce legal documentation to prove that the contractor is now fully compliant. This is required by CMMC auditors to certify the contractor.


Why Passing an Initial CMMC Audit is Critical

Contractors providing services to the DoD often rely on these DoD contracts as a significant source of revenue. To acquire these new contracts from 2020 onwards it will become a minimum requirement to possess the correct CMMC.

It should be considered a priority to pass a CMC audit at the first attempt. Failing an audit will mean the contractor is no longer able to continue working for the DoD until they pass.

Outright failing a CMMC audit could be catastrophic for a company as it takes time to implement the correct controls and to request a further audit.

For DoD contractors, it’s well worth the investment to bring in a consultant capable of detecting problems outside of a formal audit.

Preparing for a CMMC Audit the Right Way

GRS Technology Solutions has provided expert help to DoD contractors in understanding the new CMMC standards and implementing NIST SP 800-171.

Our professionals specialize in helping contractors to prepare for the latest cybersecurity standards in the US.

Get a CMMC Consultation

Call: 703.854.9551
Email us a request

Get a
CMMC Consultation!

  • This field is for validation purposes and should be left unchanged.