In our previous blog, we discussed the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))’s upcoming roll out of approximately 10 large contracts which will require contractors to meet Cybersecurity Maturity Model Certification (CMMC) standards in 2020. Full CMMC rollout is expected by 2026. With the upcoming certification requirement, many potential contractors are beginning to assess readiness. Ensuring readiness to meet CMMC compliance will provide a competitive advantage and improve the ease in which potential contractors renew current Department of Defense (DOD) contracts.

What is it going to take to achieve readiness?

  • Determine target contracts
  • Identify and address current readiness gaps
  • Start processes and practices

Determine Target Contracts

CMMC v1.0 combines multiple existing frameworks and standards to establish a set of processes and practices that will increase the cybersecurity maturity level of DOD contractors and sub-contractors. There are five levels of required practices and processes dictated by CMMC.

Potential contractors should consider the types of DOD contracts previously awarded and classify the sensitivity of the information handled during those engagements. This process may be performed internally by management or in conjunction with a third-party cybersecurity expert. Identifying the sensitivity level of information previously handled by the contractor will aid in determining the desired CMMC level.

As potential contractors mature from Level 1 to Level 5, their practices and processes will progress from basic to advanced/progressive cyber hygiene. Each CMMC level is cumulative in nature; thus, each preceding level’s requirements must also be demonstrated in the desired level. See below for the focus and general applicability of each level. (Note: Proximity to sensitive information of the contract can greatly affect which level the contractor will be required to meet.)

  • Level 1 is basic cyber hygiene practices to safeguard Federal Contract Information (FCI).
  • Level 2 serves as a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI).
  • Level 3 consists of good cyber hygiene practices through managed processes to protect CUI.
  • Level 4 involves proactive practices to protect CUI and reduce risk of Advanced Persistent Threats (APTs).
  • Level 5 encompasses advanced and progressive practices to protect CUI and reduce risk of APTs.

Once a potential contractor has determined the target contract and identified the desired CMMC level, they will begin assessing gaps in current practices and processes.

Identify and Address Current Readiness Gaps

Potential contractors must demonstrate both the requisite institutionalization of processes and the implementation of practices for a specific CMMC level, as well as the preceding lower levels in order to achieve the desired level.

Potential contractors should base the readiness assessment on the security requirements within CMMC v1.0. During the assessment, the potential contractor will need to determine which processes are currently in place, partially in place, or not in place to understand where gaps exist.

Potential contractors will need to gain an understanding of the efforts needed to close the identified gaps. This process begins with prioritizing gaps based on needed resources and ease of implementation. Subject to the degree of the gap, potential contractors may need to budget for financial resources and personnel time to accomplish closing all identified gaps. Additionally, potential contractors will need to assign responsibility to each deficiency and create a timeline for implementation. This process will provide potential contractors with a clear order in which each gap will be addressed, who is accountable, duration of implementation, and needed resources to ensure the desired level is achieved in time to bid on the targeted contract.

Start Processes and Practices

Targeted contracts have been determined, gaps have been identified, resources and processes have been identified to close gaps, and the clock is ticking. Potential contractors will now need to ensure that each individual within the potential contractor’s organization understands his/her role in performing the specified processes and practices. Depending on the desired level, establishing processes and practices will look different:

  • Level 1: potential contractors must perform the specified practices. Process maturity is not assessed for this level.
  • Level 2: potential contractors must establish and document practices and policies to guide the implementation of their CMMC efforts. Documenting the process allows personnel to perform them in a repeatable manner.
  • Level 3: potential contractors must establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. Plans may include missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
  • Level 4: potential contractors must review and measure practices for effectiveness. Corrective actions must be taken when necessary and communication of issues must occur to higher level management on a recurring basis.
  • Level 5: potential contractors must standardize and optimize process implementation across the organization.

By leveraging our experience with Federal government entities and expertise in assurance frameworks, including NIST 800 171, ISO, and NIST for Cybersecurity, HORNE Cyber is equipped to provide an independent, object review of your organization’s cybersecurity practices and processes. This review will identify potential security gaps that may impact a potential contractor’s readiness related to the upcoming CMMC regulations. In this blog series, we will discuss in detail each of the five CMMC levels and suggested steps for achieving CMMC readiness.


Cybersecurity Maturity Model Certification v1.0 (CMMC v1.0)