The Department of Defense (DOD) is transitioning away from self-assessments to a more structured approach relying on the Cybersecurity Maturity Model Certification (CMMC) standard and certified assessments. In 2020, the DOD released the initial version of CMMC. The guidelines mandate that all DOD suppliers – both prime and subcontractors – need CMMC certification by 2025 to participate in contract opportunities.
CMMC preparation action steps
Contractors need to do the following to prepare for CMMC certification:
- Determine the appropriate maturity level of the CMMC based on the organization’s situation;
- Identify gaps in current cybersecurity processes and practices relating to the targeted CMMC maturity level;
- Ensure the necessary cybersecurity practices are performed in accordance with the CMMC requirements;
- Document the policies and practices required to pursue contracts with higher CMMC maturity level requirements; and
- Demonstrate planning and management of the activities necessary to implement the cybersecurity practices required for contracts with higher CMMC maturity level requirements.
Signs you may need assistance
Whether an organization is relatively new to this area or an experienced contractor, the various levels of the CMMC present risk to most contractors. An organization may need assistance if any of the following apply:
- The contractor is unsure of how to comply with the CMMC.
- The contractor has not established cybersecurity practices that comply with the CMMC's Level 1 maturity.
- The contractor needs to establish and publish policies and practices for each domain in accordance with moving through the CMMC’s Level 2 maturity.
- The contractor is interested in showing their commitment to the CMMC by progressing to Level 3 maturity and managing their cybersecurity risk.
AGH designated as a Registered Provider Organization by CMMC Accreditation Body
As a Registered Provider Organization (RPO), as designated by the CMMC Accreditation Body, AGH’s team of Registered Practitioners can assist contractors in preparing for the CMMC assessment. AGH can help identify gaps between a contractor's current processes and practices and those required by the CMMC, along with helping document those processes and practices in accordance with the CMMC. AGH professionals can also help contractors advance their cybersecurity processes and practices in anticipation of bidding on contracts that will require higher CMMC maturity levels.
AGH is currently the only RPO in the State of Kansas. AGH’s cybersecurity professionals have the proven experience and knowledge to help distill complex frameworks into specific actions. Like the DOD, AGH understands the value and importance of small- and medium-size contractors and the unique cybersecurity situations they face.