Cybersecurity Maturity Model Certification (CMMC) 2.0 is here. If your company is not prepared, the time to get ready is now, or your company may risk losing business with the Department of Defense (DoD).
The CMMC program requires cyber protection standards for companies in the Defense Industrial Base (DIB) and aims to protect sensitive unclassified information that the DoD shares with contractors and subcontractors.
DoD’s Principal Deputy CIO Kelly Fletcher, speaking at an event in May, said that an updated Code of Federal Regulations (CFR) for CMMC 2.0 should be available for public comment by March 2023. Once the rule is available for public comment, Fletcher expects that CMMC certification will be a requirement in DoD contracts by summer 2023.
DIB contractors that handle Federal Contract Information (FCI) can self-attest to compliance, resulting in a Level 1 (L1) certification. Those handling Controlled Unclassified Information (CUI) will need to engage with an authorized third-party assessment organization (C3PAO), to attain the requisite Level 2 (L2) certification.
TD SYNNEX Public Sector is currently working with accredited companies to attain certification.
TD SYNNEX Public Sector recently launched as a unified, purpose-driven brand that combines the strengths and decades of dedicated service to the U.S. public sector of three successful organizations – DLT Solutions, Tech Data Public Sector Solutions and SYNNEX GOVSolv.
Maintaining a complete technology portfolio from endpoint devices and edge computing to advanced integrated software solutions, TD SYNNEX Public Sector focuses on the key domain areas that are shaping today’s U.S. public sector, including data and analytics, cybersecurity, IT infrastructure and application lifecycle.
Therefore, TD SYNNEX Public Sector is well positioned to assist the defense and intelligence community move toward a data-driven future – from the front office to the front lines – in the next phase of the DoD’s digital transformation and IT modernization initiatives.
The CMMC assessment and preparation processes are expensive and time-consuming. An L1 assessment has 17 security controls/requirements and an L2 has 110 controls that align with the National Institute of Standards and Technology (NIST) Special Publication 800-171.
Many of TD SYNNEX Public Sector’s technology vendors and channel partners are also seeking CMMC certification. If your company has not started the process, here are some things to consider:
- If your company handles CUI, it will need a C3PAO – an organization authorized by the CMMC Accreditation Board to conduct assessments. There are about 22 C3PAO companies authorized to conduct assessments for approximately 80,000 DIB companies expected to seek an L2 assessment. Demand exceeds supply, so get started now.
- More importantly, your company should prepare by engaging with an accredited consulting organization, or Registered Practitioner Organization (RPO). These companies can help your company prepare for an assessment, to make sure you pass on first try and avoid losing business. Though a C3PAO can also be an RPO, the C3PAO cannot provide RPO related services to a company they are assessing to avoid obvious conflicts of interest. This means your company will need to engage two accredited organizations: an RPO to help with preparation and a C3PAO to conduct the formal assessment.
- If your company expects to handle only FCI, it can self-assess to attain an L1 certification. Your company’s status is required to be recorded in the Supplier Performance Risk System (SPRS), where the DoD will examine it closely. To make sure your assessment score falls in line with the DoD’s expectations, seek the services of an RPO.
How To Get Started with CMMC
- 1. Determine what kind of data your company will handle in DoD contracts. If they will handle CUI, an L2 certification – requiring a C3PAO – will be necessary. If your company will handle only FCI, then you can self-attest to attain an L1 certification.
- 2. Engage with an RPO, particularly if your company is seeking an L2 certification. The number of RPOs is larger than C3PAOs, so the supply crunch is less critical than with C3PAOs. However, preparation for an assessment is more expensive and time-consuming than the assessment itself.
- 3. Working with an RPO to get ready is like studying for months to take the bar exam or Medical College Admission Test (MCAT). The test is grueling, but the preparation is where you spend the bulk of your time and effort.
- 4. Once the RPO thinks that your company is ready, we recommend a mock assessment (like a practice test) to determine if your organization can pass. Your company can engage one C3PAO to conduct both the mock assessment and the formal assessment. However, a C3PAO cannot provide consultation or remediation advice. They will simply tell you if you passed or failed. If you fail, the C3PAO will tell you which controls are out of compliance, but they cannot tell you why, or how to remediate the problem.
However, the RPO can provide remediation advice. If your company fails a mock assessment, seek advice on how to fix the issues that caused the failure. If your company hired a good RPO, then it should pass the mock assessment and the final assessment.
CMMC 2.0 will strengthen the cybersecurity posture of the DIB. It is a good first step. Once the framework is in place, the DoD and the rest of the government may tighten the screws on their suppliers. Even the state, local government and education (SLED) market has expressed an interest in working with vendors that are CMMC certified.
TD SYNNEX Public Sector, with our domain-specific solutions that span federal civilian, defense/intelligence community and SLED markets, and deep bench of industry-leading practitioners with decades of real-world experience, is poised to collaborate with technology vendors and channel partners to shore up their cybersecurity posture.