The Cybersecurity Maturity Model Certification (CMMC) is the DoD standard for cybersecurity requirements and validation that contractors meet those requirements. In the past, companies self-assessed cybersecurity readiness, often incorrectly. Now, a third party will verify your security controls through a CMMC assessment.

The framework measures companies against a tiered model based on the information they process. If you process Federal Contract Information (FCI), you'll need to meet baseline requirements. But if your business processes Controlled Unclassified Information (CUI), you'll need to meet more stringent requirements. Most organizations handling CUI will need to achieve CMMC Level 2, which includes 110 security practices across 17 domains and requires a certified third-party assessment.

FCI is any information the federal government provides, or a contractor creates under contract, that isn't intended for public release. CUI is any information that requires safeguarding or dissemination controls under laws, regulations, or government-wide policies. CUI comes in many types.

Here's what surprises many organizations: CMMC affects far more companies than most people realize. The requirements span the entire defense supply chain. Just because you don't believe you're "developing" cutting-edge technology for the government doesn't mean you won't handle CUI or need CMMC certification. Any company that touches CUI needs CMMC certification. Just note that CMMC is specific to DoD contracts, and other federal agencies have their own cybersecurity requirements.

Who does CMMC apply to? It’s simple: any company in the DoD's supply chain that handles FCI or CUI.

If you're a prime contractor, you likely know about CMMC and are determining how it affects your subcontractors. What matters is that second-tier, third-tier (and beyond) subcontractors all need to meet CMMC requirements.

You may be a small application developer that sells to a larger prime contractor. Maybe you're a hardware manufacturer that ships directly to the DoD. You could provide consulting services to help companies implement mission-critical programs. Whether you work with the DoD directly or you're a subcontractor far removed from the government, if your company has access to FCI or CUI, you need to know about CMMC and determine who needs to be CMMC certified—your organization or your subcontractors.

Achieving and maintaining your CMMC certification involves pretty much every department in your organization. However, some departments need to take ownership of the process.

Leadership has to understand that CMMC is a business risk issue. Get buy-in so you have proper staffing and budget. If you're pitching to the government and they require certification to award a contract, it becomes a board-level issue.

Your IT and security teams will do the heavy lifting when preparing for your actual assessment. They'll make sure all technical controls are in place. However, many organizations overlook that you need to prove you have controls in place. Documentation is everything. Proof comes in the form of your security policies, procedures, system security plans (SSPs), and records of completed security tasks.

Your contracts and procurement teams also play a big role. Procurement should identify if a solicitation requires CMMC during the initial read. Asking your technical team at the proposal stage only sets your team up for failure. Many businesses learn they need CMMC certification too late because a prime contractor inquires about certification status, or they see it in the solicitation. By then, determining who needs to comply with CMMC within your organization should have already been established.

If you want to work with the DoD and the contract requires certification, you won't win the contract if you're not certified. The DoD has made its intentions clear and isn't negotiating on this requirement.

Also, if you're a prime contractor, you'll need to validate that your subcontractors meet CMMC requirements. Just as primes scrutinize their compliance status, your subcontractors will scrutinize you. Companies that don't have certification will find it harder to keep subcontracting to companies that do. Think of it like dominoes—one contract you can't pursue because your company doesn't have the right certification knocks the entire organization down.

The financial impact of waiting doesn't stop when you decline work. Many companies wait too long until they announce a desirable contract they want to work on. Now you're playing catch-up, and it will cost you. Implementing controls at the last minute is more expensive. Consulting fees are higher because you're likely begging for help to meet your deadline. You also may very well miss the deadline.

You know CMMC applies to your organization. Now what? Here are the steps to help you start the process.

1. Determine your required CMMC level: The type of contracts you want to pursue or support will dictate this. Also consider where you want your organization to be in a few years. 

2. Perform a gap analysis: Once you know what level you need to achieve, determine where your organization stands. Review your current technical controls, policies, and procedures based on the requirements. Many organizations have cybersecurity controls in place but haven’t documented them well enough to support the process.  . However, once they perform a gap analysis, they quickly realize they have some controls but lack proper documentation or the advanced cybersecurity program CMMC demands.

3. Remediate gaps: Develop a timeline with your team. You don't need to rush this process, but you shouldn't put it off until the last minute either. When creating your timeline, prioritize what needs to be done and what can be done.

4. Document everything: Proper documentation is critical to pass your assessment. Make sure you have up-to-date policies, procedures, SSPs, and records of security tasks.

5. Partner with a certified C3PAO: Make sure the organization is an authorized Cybersecurity Third Party Assessment Organization (C3PAO) listed by The Cyber AB before engaging them. Before an assessor comes in, spot gaps yourself. They'll conduct testing to verify your controls are effective, so take advantage of your own internal testing to catch any remaining gaps.

You need to be certified before you submit a proposal. You need certification at contract award, which means before you bid.

The DoD is rolling CMMC out over three years to all solicitations, and by the end of the phased rollout, CMMC requirements will be included in most applicable DoD contracts involving FCI or CUI. Rare exceptions will exist but will be seen as outliers and not the norm. The timeline for full implementation depends on the type and sensitivity of information involved, but the trend is clear that CMMC requirements are becoming standard across the board. Once your favorite customer starts requiring certification for contracts, you're already too late. Get certified now, and you'll be ready when those opportunities surface.

CMMC will be part of your business whether you like it or not. You've likely known there are gaps in your cybersecurity program, and CMMC is forcing you to tackle them to protect your organization from cyber threats and maintain DoD contracts.