Cyber-attacks disrupt business operations and put intellectual property and sensitive financial and strategic information at risk. In a 2018 report, the Council of Economic Advisers (CEA) estimated that malicious cyber activity costed the U.S. economy between $57 billion and $109 Billion in 2016 (Source). Another report by the Center for Strategic and International Studies (CSIS), in partnership with McAfee, states that about $600 billion, nearly one percent of global GDP, is lost to cyber-crime annually (Source).
The Cybersecurity Maturity Model Certification (CMMC) is the unified framework used by the Department of Defense (DoD) to verify and ensure appropriate levels of cybersecurity compliance. Version 1.0 of the CMMC became available earlier this year and by June 2020 will be integrated as part of Request for Information (RFI) solicitations. The CMMC is set to streamline previous standards and best practices into one guideline that encompasses maturity levels, from basic to advanced, across all federal acquisition processes. The system is also used to evaluate companies’ maturity levels within this model.
All companies interested in contracting with the DoD, including subcontractors must be certified, even if they do not handle Controlled Unclassified Information (CUI).
The CMMC does not have a self-certification element, so companies need to assess compliance and coordinate their CMMC certification through an accredited independent third party company. These third party entities are not in place yet and are to be determined. In addition, there may be a consultation fee associated with the services provided by these companies.
The National Institute of Standards and Technology (NIST) offer tools for self-assessment and auditing to help organizations understand cybersecurity risks and identify areas of improvement prior to certification (Read more).
There is currently no cost associated with the certification process. Future potential cost is said to be cost-effective and affordable for small businesses and will be considered an allowable, reimbursable cost. The duration of the certification is not yet determined.
Want to learn more?
Norcal PTAC is here to assist you:
- Visit our Cybersecurity Page for helpful links
- Watch the recording of our past webinars: Cyber Security Compliance in Government Contracting from Oct 2019 (includes a compliance checklist) and Understanding 2020 Cybersecurity Regulations from Apr 2020
- For no-cost counseling, reach out to your PTAC Procurement Specialist or apply for services.