by Melissa Becker, Government Contracting Specialist, Northwest Commission PTAC

October is Cybersecurity Awareness Month, and also a great opportunity to reinforce CMMC, the U.S. Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification rolling out this year. This new certification will become a standard requirement for companies working on DoD contracts.

Basically, CMMC is a certification of a company’s cybersecurity. There will be five levels of CMMC certification, ranging from basic cyber hygiene practices (Level 1), all the way to the most sophisticated cybersecurity efforts for the most sensitive projects (Level 5). The CMMC requirement will be included in certain new solicitations and contracts beginning in 2021. Eventually, DoD will assign a CMMC level to every procurement it issues — compliance with the applicable CMMC level will be a mandatory element of contract eligibility. In other words, if a bidder doesn’t meet the CMMC level assigned to a solicitation, they won’t be eligible for that award. And, compliance with the applicable CMMC certification is required for any subcontractor under the opportunity. Companies doing, or interested in doing, contract work with DoD would be well served to begin reviewing and implementing CMMC now by following the current DFARS regulation 252.204-7012 using the NIST 800-171r1 standard. CMMC Level 3 will be comparable to this NIST standard plus 20 additional controls.

As the program is being rolled out, CMMC certifications will be obtained through a third-party auditor/assessor hired through C3PAOs. DoD has not yet announced who those auditors will be, however the first round of CMMC Level 1 assessors will be released soon. Worth noting is that although CMMC is, for now, a DoD-specific initiative, it is expected that this cybersecurity certification program will expand to civilian agency contractors as well, making CMMC a government-wide requirement to help protect all federal agencies’ information. Federal contractors & subs should always thoroughly read their contract documents and be fully aware of their compliance responsibilities. Contact your local PTAC for assistance with understanding these new rules.

Side Note: Robyn Young, Government Contracting Manager at Northwest Commission PTAC, and guest panelists (including a prime contractor and IT specialists), will be featured in an upcoming webinar, CMMC – What DoD Contractors Need to Know, on October 15th. Register at www.nwirc.org/events.