Previously, DIB organizations could self-certify their security compliance, and DIB’s were responsible for the implementation, monitoring and certification of the security of their information technology systems, as well as any sensitive DoD information stored on or transmitted by those systems.
Towards the end of 2020, DIB organizations contracting and subcontracting to the US DoD will no longer be able to self-certify their compliance. Instead they will now be required to attain CMMC certification by firstly completing an assessment of all their CMMC practices.
Preparation for the assessment requires identifying the current gap in processes and policies and then remediation. Ideally this is performed by security practitioners that have the level of expertise to efficiently work towards developing a roadmap for an organization. Then help to prepare them for assessment by a CMMC third-party assessment organization (C3PAO) for certification.
This means before your DIB organization you can work on US DoD contracts, you will need to ensure all CMMC requirements are implemented for the level you are applying to contract at and then this compliance will need to be assessed and approved by a C3PAO.
One such approach is from eFortresses who offer a CMMC Scorecard that provides a roadmap that is prepared by qualified security practitioners, the roadmap is based on the following workstreams:
- Validate – your current cybersecurity level to objectively assess, provide industry benchmarks and an effective roadmap for your journey towards CMMC Level 3
- Remediate – your gaps in current cybersecurity controls that could potentially present a roadblock in your journey towards CMMC Level 3
- Certify – your cybersecurity program using an Accredited Certified Third-Party Assessment Organization
- Improve – your cybersecurity program to maintain CMMC Level 3 or improve to Level 4 or 5