Cybersecurity Maturity Model Certification (CMMC)
Heard of CMMC but not sure it applies to you? Not sure what is required or if you can afford it? Let the PCI experts get you ready.
PCI helps DoD contractors prepare for their CMMC assessments quickly and affordably.
Does CMMC apply to me?
“All companies conducting business with the DoD must be certified.”
– Quote from OUSD(A&S)
Starting in June 2020, all new Department of Defense contracts will require contractors – including subcontractors – to have a Cybersecurity Maturity Model Certification (CMMC).
All companies, no matter how small or what service they provide, will have to be assessed and certified before they can submit a proposal according to the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).
The reason for CMMC
Security is no longer optional and no longer confined to IT – every business is affected.
- Average cost of a data breach for small to medium-sized businesses is $149k
- Malicious cyber activity cost the US Economy between $57 and $109 Billion in 2016
- Small Businesses severely underestimate the damage a cyber-attack can impose
- Costs of a breach can include damages, data retrieval, system repairs/upgrades, lost business, public relations/damage control, potential lawsuits, lost customers/trust
- 43% of businesses say they have no confidence in their cyber resilience
- Small Businesses Association (SBA) estimates 43% of cyber incidents are targeted at Small Businesses
- Cost of a data breach has risen 12% over the past 5 years; cost of incidents can continue for several years after the initial breach
Why many Small Businesses put no effort into cybersecurity – and why they should.
- “I don’t have any important data.” — At a minimum, companies have employee data (PII) or proprietary data.
- “A hacker wouldn’t target me.” — While the risk from a hacker may be low, it’s not zero – especially if you’re doing business with the government. Natural disasters, disgruntled employees, and human error can also affect any company.
The Cybersecurity Maturity Model aims to significantly enhance the cybersecurity and resiliency of its contractor network, creating a single cybersecurity standard for companies to meet. It ensures an appropriate level of cyber hygiene, resilience from threat actors, and resistance to information ex-filtration for a given contract.
The 5 CMMC Levels
Cybersecurity is holistic. It involves much more than just securing servers and data. It also includes risk management, incident response, physical security, employee awareness training, and more.
The DoD’s new Cybersecurity Maturity Model builds upon existing NIST 800-171 and DFARS 252.204-7012 regulations and adds a certification component. It combines several cyber security standards and best practices to create a family of controls based on a required level of cybersecurity maturity.
The CMMC defines five cybersecurity hygiene levels.
How Do I Become Certified?
· Your company will request and schedule your own assessment
· A certified independent third party will conduct audits of your CMMC level
· Your company will be awarded a level of certification by demonstrating the appropriate cybersecurity maturity to the assessors
· There will be no self-certification
· There will be no Plan of Actions and Milestones (POA&M)
· The cost of certification will be considered an allowable, reimbursable cost as part of the contract and will not be prohibitive
· The goal is for CMMC to be cost effective and affordable for Small Businesses
What PCI Provides
PCI brings several years of cybersecurity expertise, including experience helping small businesses become NIST 800-171 compliant. The PCI experts are up-to-date on the latest CMMC news and have been involved in shaping the CMMC model and accreditation process.
Many consulting companies charge over $100k and take over three months to get you ready for an assessment! But most Small Businesses don’t have that kind of money – or the time. And they don’t have the expertise or manpower to do it themselves.
PCI is different. We’ll get you ready for a CMMC assessor at any CMMC level required!
We provide certification consulting for an affordable cost in a short amount of time. We provide customized assistance based on your individual company needs. Services include:
Evaluation of CMMC Level needed
Templates for all required documentation
Policy “bootcamps” to help you customize the policies, complete with examples and recommended measures
Assistance requesting and scheduling your assessment
Real-time documentation updates
On-site hardware and software installations and configurations
Annual employee cyber security awareness training
On-site rapid compliance support
Every company is different. Your cybersecurity should match your business.
PCI provides customized CMMC support. We can help you prepare for your assessment and certification whether you’re familiar with CMMC or not.
Email us for more information or to talk about your company’s specific needs. CMMC@gopci.com
Read more about CMMC from the source at https://www.acq.osd.mil/cmmc/index.html
There is no reason to wait! CMMC is here!
“After starting with a different company, we were more confused than when we started. PCI made it simple and straightforward.”
– Kurt Olsen from VPI