According to some estimates, more than 70% of DoD data resides on contractor networks. Given the ever-growing security risk posed by cybercriminals, the DoD has developed a new set of standards called Cybersecurity Maturity Model Certification (CMMC) to help protect Government contractors and their data from cyberattacks.
What is it?
CMMC is a new certification that addresses the cybersecurity processes used by contractors and subcontractors to perform work on Government contracts. The certification process assesses a contractor’s cybersecurity procedures and practices with respect to defined levels of maturity (CMMC Level 1-5). The assessment is conducted by an outside third-party assessment team.
Why is it Important?
In a word – hackers. As we see in the news every day, commercial companies, state, and federal Government agencies (including DoD) are continually being targeted by hackers – individuals, criminal organizations, or nation state actors. Just recently – on Dec 13th, 2020 – the U.S. Treasury admitted it had been breached by a foreign government backed cyberattack. Government data is targeted and exploited, so safeguards must be implemented and updated to stay ahead of threat actors. CMMC seeks to ensure that Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) is adequately protected.
Who is affected?
Basically, all contractors and subcontractors that work on DoD programs will be required to have some level of certification (at least Level 1). Each contract will specify the CMMC level required for the prime contractor and subcontractors.
What is the timing?
DoD released the initial set of CMMC standards on January 31, 2020. CMMC language has already started appearing in Requests for Proposals (RFPs) and Requests for Information (RFIs). The DoD will implement a phased rollout of CMMC with 15 pilot programs in FY2021, increasing in number each year until FY2025. All new DoD contracts will require an appropriate level of CMMC certification by 2026. Existing contracts up for renewal will reflect the CMMC level required by the contracting authority.
What does this mean for me and my company?
CMMC will be implemented soon, so if you currently work, or plan to work, on DoD programs then you need to be ready. Review the initial release of the CMMC standards to gain a comprehensive understanding of its stipulations. Discussions with the DoD agency or prime contractor should give some insight into which level certification may be required for existing contracts. Future RFIs and RFPs will include CMMC requirements. You need to be prepared ahead of time – don’t be excluded from a bid because you failed to meet the CMMC requirements!