Debunking Some Common Myths about CMMC Complianceby Kristen White Blogger
Ever since the phrase 'CMMC compliance' became a buzzword in the DoD (Department of Defense contractor’s community, many have started spouting lies, myths, and conspiracy theories about a CMMC audit. Almost 300,000 U.S. DoD contractors have received misinformation about CMMC since it was officially released in January 2020.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is an initiative designed and launched by the Department of Defense to ensure all DoD and Defense Industrial Base (DIB) contractors meet certain cybersecurity requirements.
The increase in hacks and data theft compelled the DoD to make CMMC compliance mandatory for all DoD Defense Industrial Base (DIB) contractors. Here are some CMMC myths that need immediate debunking-
Myth 1 – CMMC is Useless
CMMC has been widely praised as experts expect this model to strengthen the DoD's cybersecurity. The model puts controls and processes in place to ensure controlled, unclassified information (CUI) is not leaked due to a DoD contractor’s insecure system.
CMMC will also help DoD contractors who are already in compliance with existing cybersecurity regulations established by the DoD. These contractors will have a competitive advantage over non-compliant contractors when it comes to awarding contracts. Furthermore, DoD contractors who claim to be compliant while processing their DoD contracts but are found not to be will be penalized.
Myth 2 – Contractors can get Self-Certified
Even though DIB and DoD contractors are encouraged to get self-assessments, they cannot certify themselves. They have to schedule a CMMC compliance assessment with the CMMC accreditation agency. Contractors have the option to sort their compliance issues on their own or they can work with a third-party company that is approved by the CMMC accreditation agency.
Most contractors opt to outsource this assessment task to certified and qualified third-party assessment/audit companies. These consultants help contractors obtain CMMC compliance. Approved third-party assessors help contractors meet specific compliance levels before meeting representatives from the CMMC Accreditation Body to get the final certification.
The CMMC assessment expenses depend on CMMC levels, the contractor's cyber network complexity, and other market-related factors. However, contractors are still ultimately responsible for guaranteeing that their firm meets the proper cybersecurity requirements.
Myth 3 - CMMC Audit Won't Affect a Contractor's Ability to Get Work.
CMMC certification is now a strict requirement for any contractor who wants to win DoD or DIB contracts. Non-compliant contractors run the risk of not having important security controls that are a must to be awarded sensitive DoD contracts.
Contractors should plan to be audited as quickly as possible so they do not miss out on good contract opportunities. Experienced third-party CMMC consultants can make sure their contractor clients meet the obligations of their stated CMMC level.
1 – Basic Cyber Hygiene
2 – Intermediate Cyber Hygiene
3 – Good Cyber Hygiene
4 – Proactive
5 – Advanced / Progressive
Myth 4 – There's no need to Prepare for CMMC Audits
DoD Contractors must immediately decide which CMMC level they want to acquire. DoD contractors who have applied all NIST SP 800-171 controls already qualify for CMMC Level 3 compliance.
It is recommended that all contractors partner with third-party consultants and assessors to ensure their cybersecurity measures meet the DoD's high standards. They should make it a priority to work with a partner who is familiar with all the required standards and is equipped with the skills and knowledge to perform the security measures that are required to ensure CMMC compliance.
Created on Dec 2nd 2020 01:53. Viewed 183 times.