Does Your Organization Need CMMC Compliance?

There is a lot of buzz around Cybersecurity Maturity Model Certification (CMMC) compliance lately. But does your organization actually need to be compliant?

The Defense Federal Acquisition Regulation Supplement, or DFARS, was updated in October 2018 to include the CMMC requirement. This means that any organization that contracts with the Department of Defense (DoD) must now be CMMC compliant.

However, many organizations don’t believe the regulation applies to them or they are unclear as to whether their organization needs CMMC compliance. That’s why we’ve created this article to help you determine if your organization is required to be CMMC compliant according to DFARS. First, let’s take a look at what CMMC is and what it covers.

The CMMC is a five-level certification program that was created by the National Institute of Standards and Technology, or NIST. It outlines best practices for cybersecurity and helps organizations measure their cybersecurity maturity. The CMMC certification is required for any organization that contracts with the DoD, but it can also be beneficial for organizations outside of the military. It gives organizations an objective way to measure themselves against other organizations and identify any areas where they can enhance their cybersecurity.

The CMMC is broken down into five levels, each level representing more mature organizations that are better equipped to secure their organization. The first level is called basic, which represents the organization that has not yet implemented any organization-wide security practices. The highest level, utility, represents organizations that have implemented organization-wide security practices in every area of their organization.

One important thing to note is that CMMC compliance applies to organizations and not workstations. Much of the regulation is also focused on preventative measures such as having a written cybersecurity policy, employing risk management practices, and using security tools.

So how do you determine if your organization needs CMMC compliance? The best way to do this is to review the DFARS clause 252.204-7012, which covers safeguarding DoD information systems. This clause requires organizations to implement minimum cyber hygiene controls, which are outlined in NIST SP 800-53. If your organization does not have these controls in place, then you are required to be CMMC compliant.

If you’re still unsure if your organization needs CMMC compliance, reach out to a trusted managed IT service provider. They can help you review the requirements and make sure your organization is compliant.