What Is the DoD’s Cybersecurity Maturity Model Certification (CMMC)

When the Department of Defense (DoD) announced it was creating a framework for cybersecurity policy assessment and certification, and that certifications would start to be required for contracts in the fall of 2020, many businesses were caught off guard. In fact, many today are still largely unaware of the new CMMC requirement or how they can become certified.

So, let’s cover the basics to make sure your business is ready for one of the most important new DoD requirements to emerge in many years (one that may soon be replicated by military forces of other nations as well as our own federal civilian agencies).

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification.” It is a new requirement for DoD contractors to ensure that they and companies within their supply chain meet cybersecurity standards. In the past, government contractors had a self-assessment model to verify they met standards. The DoD wants to move away from self-assessment and into a more formal framework that includes certification from DoD-approved organizations. The benefit of this approach is that it better ensures overall cybersecurity practices throughout the DoD community and helps protect Controlled Unclassified Information (CUI) that exists in DoD partner networks.

The certification process is built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia.

CMMC consists of five levels to measure the “maturity” of government contractor cybersecurity practices. These levels will range from “Basic Cybersecurity Hygiene” to “Advanced.” This allows the DoD to structure future contracts based on these cybersecurity levels. The ultimate impact will be that a government contractor will need to be certified at a certain level in order to be eligible to bid on a DoD contract opportunity

How can my business become certified?

Right now the DoD is building a network of organizations that will provide certification services. Your business will need to work directly with one of these accredited and independent third party commercial certification organizations to request and schedule your CMMC assessment.

Based on the qualifications of each level, your company will tell the certification organization which level you want to be certified for. The level of certification will be determined by requirements. Not all businesses will qualify for each level.

Once the certification has been performed and approved, your company will be awarded the appropriate CMMC certification.

How do I request certification assessment?

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.

I am a subcontractor on a DoD contract. Do I need to be certified?

Yes. ALL companies doing business with the U.S. Department of Defense need to be certified. The goal is to protect the DoD throughout the supply chain. Proactive subcontractors will be seen as an asset to prime contractors. If you are a prime contractor, this means you will need to be very assertive in helping your subcontractors understand what they need to do. Failure to comply may result in those subcontractors being ineligible to participate in future contract opportunities.

How often does my Organization need to be reassessed?

The duration of a certification is still under consideration.