Is CMMC Still Needed if You Have a QMS or ISMS?

CMMC is a strict and difficult standard to meet, which leads a lot of companies to wonder: how necessary is it, really?

After all, CMMC is not alone in the world of security and compliance. There are a lot of other frameworks, both within the United States (like FedRAMP) or internationally (like ISO 27001).

Companies that meet other compliance standards and have systems in place, like an ISMS or a QMS, might wonder: Is CMMC still required? The answer may be yes, or it may be no, and it all depends on your goals as a company.

What is a QMS?

Let’s start with the QMS, or Quality Management System. What is it and where does it come from?

A Quality Management System is a formalized system developed by a business to organize and codify everything from the processes, responsibilities, and procedures used to assure quality across the business.

While that might sound like a lot of MBA buzzword soup, it’s actually a lot more tangible. That’s because it’s not just a label; a QMS is something that requires a framework to properly develop and validate. There are a variety of frameworks available, with the most common being ISO 9001. There are also specialized ISO versions, like ISO 14000 for environmental management systems, ISO 19011 for auditing management systems, and ISO 13485 for medical device quality management.

There are also non-ISO versions of these frameworks, which are quite similar. These include AS 9100, which is a QMS for aviation, space, and defense systems, and IATF 16949 for automotive products.

While all of these are different in their details, goals, and organizations, they all share similar principles: to encourage a customer focus, to promote leadership, to engage people in the process, to take a process-focused approach, to promote evidence-based decision-making, and more.

What you might have noticed here is that nowhere in the above description did we mention cybersecurity.

That’s not because a QMS has nothing to do with cybersecurity. In fact, a QMS can be closely related to cybersecurity, information security, and digital security for an organization. It’s just not purely focused on cybersecurity.

A QMS can be related to cybersecurity in a few ways. Since it’s a quality overview framework, it contends with the overall quality of systems such as your digital security, your infrastructure, and even your vendor contracts. The quality of your security is part of the quality of your organization, after all.

That said, ISO 9001 and the related frameworks are not cybersecurity frameworks, but rather business frameworks that happen to touch on cybersecurity. That makes them pretty different than the detail-oriented CMMC.

What is an ISMS?

An ISMS is an Information Security Management System. Like a QMS, an ISMS is part of a framework, but this time it’s more focused on cybersecurity. This is because the ISMS is what you develop as part of ISO 27001.

Similar to a QMS, an ISMS is broader and encompasses more of the business at a higher level, including security for business data, for risk, for breach of security on information, and more. It encompasses policies, procedures, people, behaviors, and training, and is thus not solely a technical solution.

ISO 27001 is a lot closer to CMMC than ISO 9001. It’s still not quite the same, though, and the differences are very important.

We’ve discussed ISMS and ISO 27001 in greater detail elsewhere on this site, so if you want deeper dives, check out:

• What is an Information Security Management System?
• ISO 27001 Compliance: Checklist for Successful Certification
• ISO 27001 Audits: What You Can Expect from Your Auditor

The question becomes, do you need CMMC, or is an ISMS good enough?

Do You Need CMMC if You Have a QMS or ISMS?

The answer to this question comes down to the answers to a couple of related questions.

First: Does your business plan to do business with the United States Federal Government Department of Defense (DoD)?

If the answer to this question is yes, then you will probably (though not definitely) need to earn CMMC certification.

If you plan to work with the United States Federal Government in other ways, but not through the Department of Defense, you might not need CMMC, but you would more likely need FedRAMP. While FedRAMP and CMMC are very similar in their goals, and even draw from the same NIST well of security controls and configurations, they apply to different areas of government.

If you don’t have plans to work with the United States Federal Government at all, then you don’t need either one of those security compliance platforms. If you want to work with state-level governments or similar institutions, you might want GovRAMP (formerly StateRAMP)

And, if you don’t plan to work with any United States governmental institution, you won’t need any of these frameworks. International governments might want ISO 27001, so your ISMS, and third-party contracts with other organizations might have their own requirements, but that’s something you need to look up in your specific contracts, not take as a generalization from a compliance blog.

Now we come to the second question, which is only applicable if you answered yes to the first question.

The second question is this: Will your business handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)?

If your business wishes to provide a service to the Department of Defense, but your service does not in any way handle either FCI or CUI, you may not need CMMC. This is pretty unlikely, though; the DoD doesn’t want to allow a loophole that leaves them open to exploitation, and they often include a DFARS clause in their contracts regardless.

The main exception is for COTS, Commercial Off-The-Shelf Software. COTS need to be used by the general public and not just governmental supply lines, they need to be sold in sufficient numbers (mere availability isn’t enough), and they need to be offered to the government as-is, rather than having a government-specific version (which would need to meet CMMC requirements itself).

Most of the time, if you’re going to work with the Department of Defense in some capacity, you’re going to need to have a CMMC certification. The biggest differentiator is whether you need Level 1, Level 2, or Level 3.

Broadly speaking (and overly simplistically), you can think of it as:

• Level 1 is for companies that handle FCI but not CUI.
• Level 2 is for companies that handle CUI, with or without FCI.
• Level 3 is for companies that handle CUI relating to national security.

The majority of businesses working with the Department of Defense are going to fall into level 2; some will fall into level 1, while relatively few will be level 3, and those will definitely not be the kinds of businesses asking this overall question.

There’s more nuance to the determination than just these simple lines, but it’s not terribly difficult to determine where you’re going to sit when the contract comes down.

Not All Bad News

Many companies reading this will learn that an ISMS or a QMS is not sufficient and that they’ll need to achieve CMMC at some level, and will be disheartened. Some may have proactively achieved ISO 27001 validation under a mistaken assumption that it was reciprocal; others might have hoped for an easy path to break into the US market from an international perspective. Some might just have hoped not to duplicate a bunch of work.

While “you have to achieve CMMC” is bad news for some companies, it’s not all that bad, for one major reason.

That reason is that there’s a decent amount of overlap between CMMC and ISO 27001, and even, to an extent, with ISO 9001 and its ilk.

CMMC is based on the National Institute of Standards and Technology’s special publication NIST SP 800-171. This document outlines all of the security controls required for protecting CUI. Each level of CMMC picks and chooses the most important of the controls from NIST SP 800-171 and makes them required.

When you set up an ISMS according to the requirements and guidelines laid out in ISO 27001, you’re working off a document that is surprisingly similar to the NIST SP 800-171 list of security controls. The people in charge of developing these standards are collaborators and, while they take different approaches, the end results are similar.

Perhaps the biggest difference is in how the two function. NIST SP 800-171 and, consequently, CMMC, are somewhat prescriptivist; they tell you what needs to happen to be considered secure. ISO 27001 is more descriptivist and free-form; it tells you what you need to achieve, but not how to do it specifically. That’s why CMMC is about obtaining a certification, while ISO 27001 is about developing a system in the ISMS.

The QMS developed through ISO 9001 and similar is, unfortunately, much less aligned with the goals of cybersecurity and is thus much less relevant to the discussion. While it can be helpful, it won’t be as helpful as the ISMS will. If you have both, though, you’re in a great position to get to work in CMMC.

Because of the overlap in priorities and implementation, if you already have an ISMS in place, a lot of the work you need to do for CMMC is already done.

That’s not to say you can just apply and sail through the CMMC process, however.

• You will still need to review your business and contract (or potential contract) to determine what level of CMMC to obtain.
• You will need to review each of the relevant controls in NIST SP 800-171 and identify the ones that are required for your business.
• You will need to perform a differential analysis to determine whether your ISMS meets the standards for security required by NIST SP 800-171, or if you need to boost or improve implementation.
• You will need to determine what documentation and artifacts are necessary to prove your implementation of the NIST/CMMC version of the security controls.
• You will still need to undergo and pass a CMMC audit.

CMMC and ISMS are not reciprocal. CMMC is not, in fact, reciprocal with anything, as it currently stands. The closest alternative, being FedRAMP, could potentially get some level of reciprocity one day, but it’s not something we’d hold our breath over.

The good news, despite the list of tasks we outlined above, is that a lot of what you’ve implemented as part of an ISMS (and some of what you’ve implemented as part of a QMS) is going to meet the requirements of CMMC. Not all of it, and you’ll still need to develop the appropriate documentation, but when the work is already done and you have a mechanism to report it set up already, you’re a good portion of the way there.

Fortunately, we can also help. The Ignyte Assurance Platform is designed as a framework-agnostic certification assistant, but we can easily configure it to work directly with CMMC requirements. It can tell you what you need to do, what you need to improve, and what you need to document. It works across your teams and implementation groups, and can help you validate your preparedness for a CMMC audit with a simple glance at a dashboard.

For a glimpse into what it can show you, check out our visual exploration here.

If you’re interested or you want a more customized demonstration to show you what is most important for your business specifically, you can schedule a call with us and see the platform in action. We’re more than happy to go over the details with you and help you determine if you need CMMC, what level is likely to be relevant to your business, and how the Ignyte Assurance Platform can help you achieve your goals.

So, let us help you convert that ISMS into the base for a strong implementation of CMMC, avoid the common pitfalls and roadblocks that stop certification, and get you on track to winning those DoD contracts as soon as possible.