Home » Are You Ready for the 5-Tiered CMMC Framework this Fall?

Publication date: May 17, 2021

Are You Ready for the 5-Tiered CMMC Framework this Fall?

If your organization contracts with the DoD at any level, the time to get ready is now!

Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

Since November 30, 2020, the interim rule issued by the DoD initiated a 5-year phased rollout, introducing the new CMMC Framework Requirement in government RFPs, which builds upon the previous standard NIST 800-27001 by adding additional security controls. Matthew Travis, the freshly-minted CEO of the CMMC Accreditation Body, declared in April’s Town Hall that the 5-tiered CMMC Framework is ready for rollout.  Starting last winter, the DoD began stating the required CMMC level in the RFP with 15 contracts expected to see the change by the end of FY2021.  All DoD contractors and subcontractors will need to be certified to bid on DoD requests for proposals. Keep in mind, that self-assessment is no longer allowed.  Contractors must receive independent assessments from a qualified 3rd party assessor, or a C3PAO.

Applications to become a C3PAO – an entity licensed to perform CMMC Assessments – are being received steadily with hopes to have a fully operational certification program by the latter part of 2021.  It is estimated that approximately 60% of all awarded contracts currently require the lowest CMMC Level 1 certification, which is considered “basic cyber hygiene” in contracts containing Federal Contract Information (FCI). Contractors who specifically create or access Controlled Unclassified Information (CUI), must qualify at the CMMC Level 3 which is considered “good cyber hygiene”.  Contractors having to comply at the highest level, CMMC Level 5 requirement, is far less likely.  The main focus of the advanced or progressive level is to protect CUI from Advanced Persistent Threats (APTs). 

The CMMC certification is not optional. The program is designed to force companies doing business with the US Government to comply with a standard baseline of cybersecurity controls.

To prepare for a 3rd party CMMC assessment, you should ensure your company has a documented System Security Plan and Plan of Action in place.  We recommend our four-phased approach for CMMC certification: 

Fig. 1

This is where Elevate can help! We can do the legwork for you. Elevate is already familiar with all tiers of the CMMC, and can assist in evaluating your company’s current System Security Plan (SSP) and Plan of Action and Milestones (POA&M), advise on areas that need improvement, and provide a plan of action to achieve CMMC readiness. Click here to learn more about our CMMC Readiness services. 

Related posts

Contact Elevate today to learn more about Elevate Insights | IT Compliance and Privacy

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm