CMMC explained – A new cyber standard for DoD contractors

There are many factors for government departments when it comes to selecting contractors. More and more though, cyber security is one of them. Especially when the department in question is the US Department of Defense (DoD).

Previously, the DoD has demanded that cyber security standards be applied after awarding a contract. Now though, they have announced the introduction of the Cybersecurity Maturity Model Certification (CMMC). Anyone competing for a DoD contract will require this certification ‘pre-award’ in order to be considered.

What are the CMMC requirements?

The DoD has been working with John Hopkins University Applied Physics Laboratory (APL), Carnegie Mellon University Software Engineering Institute (SEI), and others to construct one unified standard for cybersecurity.

The CMMC model framework breaks down cyber security standards into 17 Domains, consisting of various Capabilities. Within these Capabilities are various Practices and Processes. Potential contractors will be assessed according to these criteria. Based on this, they will be assigned a certification level between 1 -5, denoting a degree of cybersecurity maturity. The DoD has made clear that it aims for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.

Does CMMC apply solely to prime contractors, or lower level suppliers too?

According to the DoD, all subcontractors will be required to have CMMC certification, regardless of size or function. It is thought that all subcontractors will be required to meet CMMC Level 2 (second lowest level of certification). In other words, if you wish to apply for any DoD contract, or to become a subcontractor to a major DoD supplier, you will be required to secure CMMC certification in advance.

How will certification be granted?

Each request for proposals (RFP) from the DoD will now explicitly state the level of CMMC certification required. Each applicant will need to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. The training, quality, and administration of third-party assessment organizations will be overseen by the CMMC Accreditation Body.

How will CMMC impact my business?

This will partly depend on the size of your business. Large companies will likely need to dedicate significant staffing resources to ensure cybersecurity compliance and ongoing standards. This may be accentuated in the case of a large company depending on a flow of subcontractors.

Smaller companies should expect to devote larger budgets towards cyber security. However, IT security costs will be a permissible charge on DoD contracts, so this can be built into proposals.

Nonetheless, any company should expect to take the following steps:

· Start building budgets and modifying rates with these enhanced security requirements in mind

· Build a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M), which is viewed as basic good cyber security practice

· Continue to educate yourself on CMMC, through articles, industry days, meetings with industry colleagues and more. CMMC is an evolving process, it is important to keep updated