Is your business providing services to the United States DoD? Or are you thinking of becoming a trusted supplier for the department but don’t know where to start as a Canadian business when it comes to being a trusted supplier under the new CMMC scheme? This blog post is for you.
CMMC is short for Cybersecurity Maturity Model Certification. Announced in January 2020, the program requires all contractors or subcontractors offering services or selling products to the DoD to be accredited under its provisions. This includes contractors based in Canada.
Put simply, your company’s IT security needs to be up for the job. This is what the CMMC framework regulates and measures. It is also the core of our expertise. But before we talk about how F12 can help you, let’s take a closer look at CMMC.
You have a bit of time: the target year for CMMC to be fully operational is 2026. However, this doesn’t mean you should put the issue on the backburner. The department is phasing the certification and has already applied it to several contracts over the past year. Now is an excellent time to start the process if you would like to continue supplying to the DoD or start offering your company’s services.
The DoD wants to ensure that all contractors are taking cybersecurity seriously. With the CMMC framework, the department can assess and measure its contractors’ controls in that area.
One of the key points mentioned by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(AS)) is stewardship of so-called Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Both are sensitive areas in which the OUSD(AS) entrusts information to contractors and wants to ensure that any details shared are looked after carefully.
The CMMC framework has ﬁve levels. It has been designed to make it easy for small businesses to (continue) work(ing) with the DoD. Each Canadian contractor applying for certification starts at level one and works their way up from there.
Level one requires you to have basic cybersecurity measures in place and to document specific processes. Level five, on the other hand, is reserved for the most advanced contracts and projects. At this level, you need to show that you can resist even the most advanced threats and respond at machine (rather than human) speed.
Levels two, three and four offer steps in between these extremes. The CMMC regulations also tie into other, related frameworks including NIST (800-717), FAR (52.204-21) and DFARS
Canadian companies aiming for CMMC compliance need to achieve certification at each level.
Sounds complicated? It doesn’t need to be.
Much of the information you need to start the process is published on the OUSD(AS) website. This is a great place to begin.
However, if you find navigating the individual requirements daunting, we can help. A considerable number of the specific checks and controls required to start your CMMC certification journey are part of our IT support and solutions services.
Whether you are only just starting as a business or a seasoned operator, we’ve got you covered. Our packages take IT security out of your hands and allow you to concentrate on the core of what makes your company stand out.
We have reliable and comprehensive solutions that allow Canadian contractors to pass CMMC requirements. As your business grows, we help your IT systems grow with it, sustainably and safely. If you are aiming for the highest level of CMMC certification right now, we help you transition through the individual levels smoothly.
Talk to us to find the best path for you.