GovCon Council can assist and guide your DoD Contracting Business through the complex and confusing Cybersecurity Maturity Model Certification  (CMMC) Program. 

 

What is Cybersecurity Maturity Model Certification (CMMC)?

CMMC stands for “Cybersecurity Maturity Model Certification”. Specifically created to help safeguarding Controlled Unclassified Information (“CUI”) in non-federal systems, CMMC is introduced by the U.S. Department of Defense and considered to be continuation of efforts where defense contractors and subcontractors were required to be compliant with the NIST SP 800-171 cybersecurity standard if they were to receive, handle, store, and process the CUI. The CMMC encompasses five maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. Each of these maturity levels consists of practices and processes as well as those specified in lower levels.

In addition to 110 security requirements specified in NIST SP 800-171 rev1, CMMC incorporates several other practices and processes from other standards, references, and sources. Some of the other standards and sources include NIST SP 800-53, National Aerospace Standard (NAS) 9933, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).

 

Who is Required to be CMMC Certified?

The DoD is incorporating CMMC certification requirement into Defense Federal Acquisition Regulation Supplement (DFARS) for contract award. The CMMC framework will eventually be used to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Simply put, through the processes and practices found in the CMMC, the government agencies will be able to verify the maturity of the cybersecurity mechanisms implemented by any company. 

Does my company need to be CMMC certified?

CMMC is a requirement which will apply to unclassified networks of all contractors and subcontractors which will handle, process, and/or store Federal Contract Information (FCI) or the Controlled Unclassified Information (CUI). If your business is not only in the developing/manufacturing COTS products and software, and you plan to handle, process and/or store FCI or CUI then your company will need to be CMMC certified.

The plan is to implement the CMMC framework within the DoD Defense Industrial Base at the moment. However, it is expected that the other federal government agencies are going to follow the suite of requiring the CMMC certification to companies/organizations needing to access, store, and process the CUI that are released by those agencies. 

It is also important to know that for contracts that require CMMC your company may be disqualified from participating if your organization is not certified. 

Are you confused with what level of CMMC certification that you need?

The level of CMMC that you will have to have depends on the sensitivity of the information that you will be accessing and storing. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). Keep in mind, no companies can self-certify themselves. Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC Accreditation Body (AB) may perform CMMC assessments. Also, company that received a CMMC certificate will need to be re-certified in every 3 years. 


Our mentorship process involves assisting you to find out what exact CMMC level you will need to achieve and help you with the CMMC Certification steps.

We are here to help!