WHAT IS CMMC? CMMC which stands for ‘Cybersecurity Maturity Model Certification’ is the upcoming required standard for all contractors and suppliers that work with the Department of Defense (DoD).
WHY IS THIS NEEDED? The new framework is to ensure contractors and suppliers have appropriate cybersecurity frameworks in place to protect data such as Controlled Unclassified Information (CUI), Federal Contact Information (FCI), and other information. The DoD is rolling out the new framework “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).”
WHO MUST FOLLOW CMMC? Any DoD contractors and suppliers in the supply chain. For any organization that wants to do work for the DoD and bid on a project, they must be CMMC certified.
HOW DOES IT WORK? The CMMC categorizes organizations by five maturity levels. These maturity levels attempt to map the rigor of an organization’s cybersecurity plan to the risk they pose to the interests of national defense. Maturity Level 1 is associated with organizations who pose the least risk and require a baseline security program. Maturity Level 5 organizations pose the highest possible risk to our national defense interests and therefore require the most rigorous security program. Organizations that wish to bid on a DoD contract would need to show that the maturity of their CMMC certification supports the risk associated with the bid.
The new CMMC framework also requires third-party certification. Contractors and suppliers will need to have an independent third-party assessment organization (C3PAO) to conduct assessment and certification. Contractors and suppliers will no longer be able to self-certify as they do now with NIST 800-171.
IS THE CMMC ACTIVE NOW? The DoD is estimating the formal implementation of CMMC in the near future. Updates to the status of the initiative can be found on the official site, and we will also publish updates as we receive them.
WHAT SHOULD CONTRACTORS DO NOW? Any organization that will be required to certify to CMMC is already required to be compliant with NIST 800-171. By evaluating their compliance to NIST 800-171, and by developing a remediation plan that includes new requirements from the draft CMMC standard, DoD suppliers can ensure their compliance today, and prepare for this revenue-critical requirement in the coming months.UPDATE: NIST SELF-ASSESSMENT REQUIREMENTS
“Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date.”