CMMC Compliance Requirements:
Everything You Need to Know in 2022

The expanding role of CMMC compliance

2019 - CMMC compliance is currently a requirement only for businesses that contract for the DoD.

General Services Administration (GSA) has suggested that CMMC compliance should become a mandate for all types of government contractors.

"CMMC has been touted as a potential standard that could expand beyond the Defense Industrial Base (DIB) to cover all government contractors.”

The GSA made its recommendation about broad CMMC enforcement as part of an effort to address the supply chain security risks that have become a widespread threat across sectors of all types. CMMC assessment can play a central role in managing supply chain risks by enabling businesses to achieve the following goals:

Ensuring that existing partners and suppliers follow cybersecurity compliance rules.

Vetting new partners and suppliers to assess their cybersecurity hygiene.

Helping guide cybersecurity teams in determining which controls and processes to use to mitigate risks within supply chains.

CMMC – unlike most other compliance frameworks – was designed specifically to help mitigate supply chain cyber security threats. It offers an excellent foundation for managing supply chain threats no matter which type of business you operate. Businesses that can’t demonstrate CMMC compliance are at risk of being seen as insecure by partners and suppliers. They may also struggle to establish Vendor Disclosure Programs that their customers require to manage supply chain risks. And they could face financial damages as a result of supply chain breaches.

All of the above means that, even if you don’t have a contractual obligation to meet CMMC Security specifications today, you could in the future – so you may as well start preparing now for CMMC certification.

Claim Your 30-Day Free Account

Managing upstream and downstream
supply chain risks with CMMC

Although it’s common to talk about “supply chain cyber security” as if it were a singular endeavor, supply chains actually include two main parts:

Upstream

This part of the supply chain includes the suppliers and vendors who deliver the resources your company needs to provide its own goods or services.

Downstream

The downstream component of the supply chain consists of the processes required to deliver your business’s goods and services to distributors, customers and end-users.

A CMMC compliance program helps to manage compliance risks within both segments of the supply chain. You can require CMMC compliance from your vendors – just as the DoD does – in order to enforce strong cybersecurity hygiene standards within the upstream portion of your supply chain. In turn, you can ensure that your vendors:

Comply with legal
cybersecurity mandates

Continuously monitored for
cybersecurity risks

Maintain up-to-date contracts that define their cybersecurity
obligations

Report vulnerabilities quickly in the
event that they suffer a breach – which
in turn means that your supply chain is breached

For your own business protects the downstream portion of your supply chain. It gives your distributors and customers confidence in your commitment to cybersecurity standards, which will in turn help you win and retain more customers. CMMC compliance also ensures that you have the safeguards and controls in place to mitigate the impact of a breach rapidly, in order to keep its impact on your downstream supply chain as small as possible.

Adjusting to CMMC 2.0
compliance changes

The prospect of meeting CMMC compliance requirements may seem daunting – and it should be. While all compliance frameworks tend to be complex, the CMMC takes the cake for establishing especially rigid and complicated requirements – which is part of the reason that, historically, businesses have hired expensive consultants to help manage their CMMC compliance programs.

The state of Cybersecurity Maturity Model Certification (CMMC) is changing. The federal government in 2021 issued a new version of the framework, CMMC 2.0, that is designed to simplify compliance requirements for contractors.
Among other changes, CMMC 2.0 reduces the number of compliance “levels” from five to three, while also making it easier for contractors to self-certify their compliance.

You may no longer need to pay consultants to guide you through the CMMC compliance process, but you do need comprehensive cybersecurity monitoring tools in place that allow you to identify and respond to risks across all segments of your supply chain.

That’s good news overall. However, it would be a mistake to assume that the revised CMMC framework is easy to understand or apply.

Contact Us

Understanding the new CMMC compliance levels

To be more specific, CMMC compliance under the updated version requires the ability to meet requirements associated with the three new compliance levels:

Foundational

Six to eight weeks

The most basic level of compliance requires the ability to meet seventeen NIST SP 800-171 controls. They consist mostly of standard cybersecurity controls, like implementing basic authentication and encryption protections.

Advanced

Three to eight months

The advanced CMMC compliance level requires meeting all 110 of the NIST SP 800-171 controls – including not just implementing basic protections but also reacting quickly to breaches and protecting against remote threats.

Expert

Up to a year

Expert compliance requires meeting controls from SP 800-172 in addition to all of the SP 800-171 controls. SP 800-172 includes requirements such as implementing threat hunting programs and enforcing least privilege.

Businesses can self-attest their achievement of the first two compliance levels. Expert compliance certification requires review by the federal government.

Determining your CMMC compliance level


Every business needs to achieve at least Foundational CMMC compliance in order to do business with the DoD. But ideally, every business should achieve Expert-level CMMC compliance.


Whether it’s practical for your company to get to Expert-level compliance – and whether it’s a worthwhile goal – requires evaluation of several factors.


You should also perform an assessment of your supply chain and the vendors in it.
Do your vendors have a history of breaches that could jeopardize your supply chain cyber
security? Do they already demonstrate cybersecurity compliance, or has that historically been a challenge for them? The stronger the cybersecurity hygiene of your vendors, the easier it will be for you to achieve Expert-level compliance.

Consider, too, the cost of CMMC compliance. Even if you self-attest, collecting and reporting the data required to certify your compliance can require a significant investment of resources. And the more controls you need to meet, the higher your compliance costs will be.


Also, CMMC compliance must be demonstrated on a yearly basis in order to meet the government’s requirements. Of course, you can streamline compliance reporting costs by using tools that can automatically assess risk for you. These tools can drastically cut down on resource costs and time spent on manual processing.

CMMC compliance as a foundation for ESG compliance

CMMC is an excellent starting point for meeting goals associated with Environmental, Social and Governance (ESG) compliance – something that customers and investors increasingly look for.

 

According to Kobi Freedman, Founder and CEO of Findings,

 

“Making our world better and helping to improve our society is part of our vision as a company. We observed the rapidly growing demand of our customers to adopt ESG practices in our platform and think it is an enormous opportunity which perfectly aligns with our values.”

CMMC is an excellent starting point for meeting goals associated with Environmental, Social and Governance (ESG) compliance – something that customers and investors increasingly look for.

According to Kobi Freedman, Founder and CEO of Findings,

When you secure your supply chain with the help of CMMC, you are in a stronger position to achieve ESG compliance as well for two main reasons:

Supply chain protection mitigates the risk of data leakage that could expose financial information, personal data or other types of information that harm your business’s reputation as a socially responsible company.
Supply chain attacks that disrupt industrial plants, manufacturing facilities or similar infrastructure may lead to pollution, toxic waste release or similar issues that harm your business’s image as an environmentally responsible company.

Preventing supply chain attacks with Findings

Findings help businesses of all types to meet CMMC compliance requirements as part of a supply chain protection strategy.
Using automated reporting, Findings allow businesses to validate that their vendors adhere to cybersecurity standards associated with frameworks like CMMC, such as the NIST SP 800-171 and SP 800-172 controls. At the same time, Findings allows companies to demonstrate their own compliance to customers.
And, because Findings collects supply chain data, evaluates risks and generates reports automatically, you don’t need to worry about human error when managing supply chain risks. Nor does supply chain protection need to require a tremendous investment of staff time and company resources.
Free Findings account: Sign up
Findings.co
Company
Products
Solutions
Media Room
Guides
Company
About
Privacy Policy
Terms of Use
Contact Us
FAQs
Sitemap
Products
Vendors
Enterprise
Partners
Vendors index
Solutions
Cyber security
ESG
Cloud Monitoring
Continuous Monitoring
Media Room
Blogs
Press Room
Guides
What is vendor risk management?
The Findings CMMC compliance checklist
4 ESG Best Practices for Energy Efficiency
Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Claim your free account Trial
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
less
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Claim your free account trail
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!