What is CMMC?

The Department of Defense (DoD) currently requires that its contractors meet the requirements of NIST 800-171 however there is no audit and accountability for protecting Controlled Unclassified Information (CUI). This has led to the creation of the Cybersecurity Maturity Model Certification (CMMC).

CMMC is the certification process developed by the DoD as the next stage in properly securing the Defense Industrial Base (DIB). This standard is intended to replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-2020. A key difference compared to NIST 800-171 is the CMMC will not contain a self-attestation component. Therefore, all organizations that do or intend on doing business with the DOD will be required to go through an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime. CMMC model is defined with five maturity levels relating to both practices and processes with Level 1 as the most basic and Level 5 as the most advanced.

These five levels are designed with recognition that not all organizations contracting with DoD will need the highest levels of controls and cybersecurity. The first clear impact on organizations will be on recompetes. Contract incumbents failing to measure up to the requirements as they are added to a recompete risk losing the contract to another bidder. Less clear is the impact on teaming and subcontracting as it relates to the flow of requirements. It is unknown if the CMMC level will flow down like other requirements or primarily apply to the prime contractor. The bottom line is that every type of organization doing or seeking business with the DoD will need a third-party audit, forcing them to verify employment government guidance and compliance with set security standards.

Organizations looking to compete on DoD RFIs and RFPs will need to be CMMC compliant by October 2020 as initial RFPs with CMMC requirements will be released. If you have plans to compete or recompete on DoD contracts in the future, we want to be your partner in ensuring you are CMMC compliant and audit ready.