No certification pain, no contract gain. A relatively new and, some would say, arduous certification process aims to ensure contractors are meeting improved cybersecurity standards.
The Cybersecurity Maturity Model Certification (CMMC) is part of a Department of Defense (DoD) framework that requires a third-party vendor and supply chain certification to win or renew contracts.
How does the government maintain a high level of security across a network of over 300,000 contractors? Under most government contracts, defense contractors will now assume all IT-related cyber and security risks.
The CMMC is designed to improve the protection of controlled unclassified information (CUI) and covered defense information (CDI) within the supply chain. More than 70% of DoD data resides on contractor networks.
Defense contractors must prepare for these changes by identifying the maturity level they need, documenting internal processes, providing the DoD with feedback, and conducting proper third-party assessments.
But beware—this isn’t a “one and done” certification. Cyber agility is an ever-evolving systems process that will continually challenge contractors to audit and improve their organization’s security standards.
What is the CMMC?
Released by the DoD on January 31, 2020, the CMMC is setting a new IT standard for the defense industrial base (DIB).
With hundreds of thousands of companies in the DoD supply chain, the CMMC requires contractors to submit third-party compliance of cyber assessments. In the past, contractors were tasked with monitoring their own IT systems, but as cyber threats became more widespread and sophisticated, the CMMC added an extra layer of security to the supply chain.
Goal of CMMC
The primary goal of the CMMC is to protect and improve the security of controlled unclassified information (CUI) and federal contract information (FCI). CUI is information that requires safeguarding, and FCI is information unintended for public release. Both require enhanced protection and safeguards against pressing security threats.
Understanding the CMMC Framework
The CMMC has established five certification levels to adequately protect sensitive government information across contractor information systems. They have also established domains that categorize contractor security within each level.
The five levels, starting at level one, build upon each other's technical requirements.
The Domain Breakdown
The CMMC framework consists of 17 domains. Domains have capabilities, and capabilities include practices and processes. CMMC requirements are organized by domains and capabilities—then each practice and process within them is designated by level.
To Whom Does the CMMC Apply?
The certification applies to all DoD prime contractors and subcontractors who provide services and materials to execute a contract.
Certification level details:
- Not all subcontractors will require the same cybersecurity program maturity as a prime contractor.
- CMMC is required for select contracts starting in 2020 and all contracts beginning in 2026.
- Contractors start at level one and certify at each level, up to level five.
DoD contractors will need to learn CMMC technical requirements, assessments, and mandatory contract procedures.
CMMC Preparation, Legal Implications, and Takeaways
Here are basic steps to begin your CMMC journey:
Document. Audit and document all compliant practices or processes.
Plan. Develop and implement procedures to obtain the highest certification level possible. Prime contractors should also work with subcontractors to develop or update compliance programs.
Engage with agencies. Offerors should closely review requests for information (RFI) and request for proposal (RFP) documentation, and clarify any questions surrounding certification levels and accompanying requirements.
Challenge assessments. What if a certification level or audit result is erroneous? A low rating could place limitations on a contractor's ability to compete for work. At this time, a contractor does not have the right to appeal an audit. In the meantime, you as a contractor should provide your own feedback or recommendations surrounding due process procedures.
Reach continuous cyber agility. Although CMMC certification will be a minimum requirement for DoD contract award eligibility, achieving cyber-compliance will never be complete. The CMMC is a catalyst for changing contractors’ cybersecurity processes and internal requirements. All organizations should hold themselves to a higher security standard to ensure long-term defense contracting award success.
How to Get CMMC Certified
First, identify the maturity level your company needs to be audited for compliance. Then, find a certified third-party assessor organization (C3PAO) who will schedule your assessment with a certified independent assessor.
Upon completion of the assessment, the assessor will submit findings and recommendations to the CMMC Accreditation Body to certify that the organization seeking certification (OSC)—you—complies with the required CMMC maturity level.
Where do I find all of this information? Start Here
CMMC: Adapt to Survive
Attention defense contractors: don’t fall behind. With change comes growth, and adaptation is the key to government contracting survival.
What to do right now:
- Get started ASAP. Take action to prepare for CMMC maturity level one. You may need to reach up to level three within a year.
- Budget. The CMMC can cost between $15,000 and $30,000.
- Find an expert who can define and explain CMMC specifications and requirements.
- Don’t “wait it out.” The framework may not be eliminated with each new administration.
- Research and find registered provider organizations with CMMC authorized and accredited practitioners.
- Realize that the CMMC framework will continually evolve and expand as cyber threats continue to change.
Stay Secure and Accelerate Your Success
As your organization works towards implementing critical cybersecurity requirements, you will need an accurate
and secure pricing platform.
In the ProPricer Services Contractor Edition pricing environment, users can be given full control, or they can be granted specific access, edit, add, and delete rights—meaning rate tables can be locked down, and hundreds of individual elements can be under a variety of control levels. Request a demo.
Keep your IT department agile. Improved cybersecurity plus CMMC Certification equals more contract awards.
- CSO Article: The Cybersecurity Maturity Model Certification Explained
- PWC Article: Cybersecurity Maturity Model Certification
- Cybersecurity Maturity Model Certification for DoD Contractors
- CMMC C3PAO FAQs
- CMMC Certification Guide