CMMC in 2023

In an era where cybersecurity threats loom large, organizations across various industries are prioritizing the implementation of robust security measures to protect their sensitive information. For businesses that work with the Department of Defense (DoD), compliance with the Cybersecurity Maturity Model Certification (CMMC) is becoming a crucial requirement. CMMC is a certification program introduced to improve supply chain security in the defense industrial base (DIB). By the end of 2025, the DoD will require all contractors to be certified to one of the three CMMC levels. Excedeo, San Diego’s CMMC Compliance expert, is here to guide you through the requirements and the timeline for your CMMC Compliance journey.  

CMMC requires organizations to adopt best practices in cybersecurity that can be tailored to their specific needs. CMMC covers five domains:

  1. Access control
  2. Asset management
  3. Configuration management
  4. Media protection
  5. System security

What Are The Three Levels of CMMC2.0?

CMMC has gone through several revisions and is currently on version 2.0. This most recent version of the CMMC framework consists of three progressively advanced levels. Each level requires contractors to adhere to a series of security controls and either prove compliance independently or be certified regularly via a third-party or government-led assessment. The three levels are:

  1. Foundational: This level requires basic cybersecurity protocols deployed by most companies. To reach Level 1, firms need to implement 17 NIST SP 800-171 Rev2 controls.

  2. Advanced: This level requires basic cybersecurity protocols deployed by most companies. To reach Level 1, firms need to implement 17 NIST SP 800-171 Rev2 controls.
  3. Expert: This level includes advanced cybersecurity processes implemented, reviewed and updated across the enterprise. Companies need to implement all NIST 800-171 controls plus an additional subset of NIST 800-172 controls.

The required certification level will be determined by the specific kind of information a company handles and the type of work it does. The specific level of certification will be spelled out in all new DoD contracts. 

When Does My Business Need to be CMMC Compliant?

Almost four years after the Pentagon announced its plan to begin certifying DoD contractors as early as 2020, the rollout of the program has not been completely straightforward. As of 2023, the exact timeline around the CMMC 2.0 rulemaking process is still up for determination. However, a notice of the proposed rule is coming in 2023, which suggests CMMC assessments could become a requirement in contracts as soon as 2024. 

What Should San Diego Government Contractors Do Now in 2023 To Prepare for CMMC?

The exact timeline of CMMC becoming a reality may be shifting, but the best way to prepare for the compliance deadline is to be proactive. Start by preparing for a CMMC assessment by identifying gaps, and implementing solutions to remediate the gaps, so you can ultimately achieve the appropriate CMMC Level for your San Diego organization:

  1. Assess Your Current State: Evaluate your organization’s current cybersecurity practices and identify any gaps or areas that need improvement. This assessment helps determine the starting point for your compliance journey.

  2. Define Your Target Level: Determine the CMMC level you need to achieve based on the requirements specified in your contracts or agreements with the Department of Defense (DoD). Each contract will specify the required CMMC level, such as Level 1, Level 3, etc.

  3. Develop a Plan: Create a roadmap or plan to address the gaps identified in the assessment and work towards achieving the desired CMMC level. This plan should outline the necessary steps, resources, and timeline required for compliance.

  4. Implement Security Controls: Implement the specific security controls and practices required for your target CMMC level. The controls are outlined in the CMMC framework and associated references like NIST SP 800-171, NIST SP 800-53, and others, depending on the level.

  5. Conduct Internal Reviews: Regularly review and assess your implemented security controls to ensure they are functioning effectively. This step helps identify any weaknesses or areas that require adjustments or improvements.

  6. Prepare for External Assessment: Engage with a certified third-party assessor organization (C3PAO) or an accredited assessor to conduct an independent assessment of your organization’s compliance with the selected CMMC level. This assessment will determine your eligibility for certification.

How Excedeo Can Help San Diego Government Contractors With CMMC Compliance

Are you interested in finding out whether your business meets CMMC compliance? Do you need some help with CMMC regulations or conducting a CMMC audit? At Excedeo, we specialize in providing comprehensive IT services to San Diego government contractors, including expert support for achieving CMMC compliance. Our team starts by conducting a comprehensive assessment of your organization’s cybersecurity processes and procedures, identifying any areas that require improvement to meet CMMC requirements. Leveraging our expertise in managed IT support and cybersecurity, we will develop a CMMC remediation plan and assist in implementing the necessary security controls to achieve the appropriate CMMC level for your San Diego business. Don’t wait for the CMMC compliance deadline and put your valuable DoD contracts at risk. Contact Excedeo today to get started.