What is CMMC?
The Cybersecurity Maturity Model Certification (“CMMC”) is a unified cyber security framework consisting of control standards and processes that seek to assess cyber security posture institutionalization. CMMC is specifically designed to safeguard Controlled Unclassified Information (“CUI”) data in defense industrial based (“DIB”) entities.
DIB organizations will require CMMC certification to bid on future DoD contracts.
How does CMMC align with existing regulations and standards?
CMMC is the next generation of DoD regulation – existing FAR/DFARS requirements serve as the foundation for CMMC maturity.
- FAR 52.204-21
FAR cyber security requirements map to NIST 800-171 controls.
- DFARS Cyber Regulations (DFARS 252.204-7012)
DFARS requirements align with NIST-800-171 controls.
- NIST 800-171
CMMC practices largely align with NIST 800-171 controls.
How to Prepare?
Organizations must identify and remediate gaps in practices and processes to meet target CMMC maturity level and obtain certification to bid on future DoD projects.
- Identify Gaps
- Define a Plan of Action for Remediation
- Remediate Gaps
- Engage a Certified Third-Party Assessment Organization (C3PAO) for Certification Assessment
Why Start Now?
- Synergy with Existing Requirements
CMMC preparation reinforces existing FAR/DFARS requirements. DIB organizations must already self-attest to be fully compliant with FAR/DFARS requirements, which make up the foundation for CMMC.
- Imminent Rollout
Although timing of CMMC rollout is still evolving, existing guidance suggests required compliance will start as early as Q3 2020, extending through 2026.
- Gap Identification as a First Step
Organizations should start identifying gaps now. If gaps are unknown, the level of effort, cost and timing for remediation are also unknown.
- Remediation Work Takes Time
Organizations that choose to wait may not be ready to pass a certification assessment in time.
- Business Imperative
The lack of a certification may result in the inability to bid on targeted projects (i.e. loss of business).
Why Choose Aon?
Aon’s Cyber Security Advisory Team brings dual competency professionals with Private and Public Sector (DoD/IC) experience and understands the complexity of our DIB clients’ regulatory, operational and cyber threat landscapes. We assist clients with a broad range of advisory services, including cyber security assessments, CISO advisory and controls testing. Our premier Global Advisory team offers an unparalleled view into the regulatory risk environment, and has extensive experience building and maturing cyber security programs based on NIST, CERT RMM and CIS framework requirements.