If you do business with the US Government, it is very likely you will need to be aware of CMMC. I have posted about this found HERE and HERE. In short, it’s an upcoming mandate enforcing security guidelines such as NIST 800-171. In the past, many guidelines were said to be required however, there wasn’t any “teeth” behind enforcing them. CMMC changes the game by making marketed contracts require CMMC compliance or access to that business will not be granted.
For some organizations ranging from universities that obtain government research grants to commercial organizations that sell directly or indirectly to the government through contracts, compliance would be required, or these revenue streams would be lost. For example, if you sell hotdogs to a company that provides those hotdogs to the government, you could be required to meet CMMC requirements. Today, you won’t see such requirements but starting within a year, CMMC will become the normal requirement as its adopted within the government contract world.
The good news is you have time, and many requirements are things you should already be doing. Concepts such as multifactor and access control are being evaluated either by you (self-assessment for level 1) or by a 3rd party for higher CMMC level certification. Its HIGHLY recommended to start looking at this now rather than waiting to be denied business due to CMMC.
A good starting point for your CMMC journey is understanding the language. I like this blog post by Preveil defining the core CMMC language found HERE. Once you understand the language, next is to understand CMMC version 2, which again I posted about HERE. Next, you need to perform an assessment of your security capabilities based on NIST 800-171. You could look at external resources or perform a self-assessment. However you do it, you goal is to identify gaps and get an idea of how much work would be needed to meet each level of CMMC. With these results, you can compare where you believe sensitive data lives within your organization, what level of CMMC you believe you will need to maintain or grow your business and determine if the level of effort is worth the results.
If you are unsure how to do an assessment, there is a marketplace you can search to find CMMC experts. I can found on there by searching my name. Just go CyberAB > Directory and search. Hope this post helps those that are new to CMMC.