Cybersecurity Maturity Model Certification
CMMC is a certification of a company’s cybersecurity. There will be five levels of CMMC certification, ranging from basic cyber hygiene practices (Level 1), all the way to the most sophisticated cybersecurity efforts for the most sensitive projects (Level 5). The CMMC requirement will be included in certain new solicitations and contracts beginning in 2021. Eventually, DoD will assign a CMMC level to every procurement it issues — compliance with the applicable CMMC level will be a mandatory element of contract eligibility. In other words, if a bidder doesn’t meet the CMMC level assigned to a solicitation, they won’t be eligible for that award. And, compliance with the applicable CMMC certification is required for any subcontractor under the opportunity. Companies doing, or interested in doing, contract work with DoD would be well served to begin reviewing and implementing CMMC now by following the current DFARS regulation 252.204-7012 using the NIST 800-171r1 standard. CMMC Level 3 will be comparable to this NIST standard plus 20 additional controls.
As the program is being rolled out, CMMC certifications will be obtained through a third-party auditor/assessor hired through C3PAOs. DoD has not yet announced who those auditors will be, however the first round of CMMC Level 1 assessors will be released soon. Worth noting is that although CMMC is, for now, a DoD-specific initiative, it is expected that this cybersecurity certification program will expand to civilian agency contractors as well, making CMMC a government-wide requirement to help protect all federal agencies’ information. Federal contractors & subs should always thoroughly read their contract documents and be fully aware of their compliance responsibilities.