Cybersecurity Maturity Model Certification (“CMMC”)

In its final form, the CMMC will combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity for Department of Defense (DoD) contractors. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

What does the CMMC mean for DoD Contractors?

The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a “verification component” with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance, and with continued pressure to ensure 100% adoption of cybersecurity controls, the DoD is updating its policies.

This all means that every DoD contractor will need to become CMMC Certified by passing a CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. Eventually, this will be a requirement for any organization that wants to hold contracts with the DoD or work as a subcontractor on DoD related projects.

To verify that DoD contractors have met the appropriate level of cybersecurity controls, the DoD will deploy certified third-party assessor organizations (C3PAO’s) to conduct audits on DoD Contractor information systems. It is from this audit that a DoD contractor will be awarded a certification Level of 1-5, if they comply with 100% of the controls for a given Level and be allowed to continue bidding on contracts.

Important Dates and Milestones for DoD Contractors January 2020

  • The official CMMC Levels and requirements will be released along with training materials for the independent CMMC Accreditation Board (CMMC AB) to use for training auditors and C3PAO’s.

February-May 2020

  • The initial round of assessors will be trained.

June-September 2020

  • The initial round of audits will begin for a select number of DoD Programs/RFIs with the required CMMC Levels identified and contractors wishing to bid on those Programs will need to be certified to the required Level in order to receive the RFI.

October 2020 and beyond

  • DoD contractors will need to get certified by an accredited assessor/C3PAO in order to bid on new work.

Becoming Certified

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic to advanced cyber hygiene. Brouse McDowell can counsel businesses through the CMMC certification process and develop the appropriate CMMC policies and manuals for compliance certification.