The Department of Defense (DoD) created a requirement for all organizations in the defense supply chain contracting with the government to achieve the appropriate level of Cybersecurity Maturity Model Certification (CMMC compliance).
DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
The CMMC combines various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, reduce risk against a specific set of cyber threats.
The five levels Cybersecurity Maturity Model Certification are:
The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity
requirements. The intent is for certified independent 3rd party organizations to conduct audits and inform risk.
Per the DoD, the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
Even if your organization does not handle CUI but are part of the Defense Industrial Base, are contracted with the DoD, and possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
If you are a subcontractor on a DoD contract, you must still obtain a CMMC compliance certificate. The level of the CMMC compliance certificate is dependent upon the type and nature of information flowed down from your prime contractor.
The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs).
CMMC Compliance Readiness Review
The first step towards certification is to get a third-party Readiness Review completed to identify gaps that would prevent an organization from meeting the minimum requirements outlined in the appropriate CMMC Level. The Readiness Review is designed to discover inadequate system setups and processes that may not meet all of the required controls. Registered Provider Organizations (“RPO”) such as Freed Maxick and our Registered Practitioners can help conduct these readiness assessments and place you on a path for certification. Freed Maxick has helped numerous organizations navigate the complexities and financial hurdles of increasing cyber security requirements.
If you would like to schedule an CMMC compliance readiness assessment discussion, please reach out to one of our CMMC experts by filling our the form below or calling 716.847.2651.