The information in the article below has been superseded by CMMC 2.0 in mid-November 2021.
The Cybersecurity Maturity Model Certification (CMMC) was developed by the Department of Defense (DoD) as a means to measure those companies in the Defense Industrial Base (DIB) sector concerning their readiness to protect sensitive data. This new certification specifically aims to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Designed to decrease risk to the frequently targeted defense industry, CMMC is a methodology and framework that will keep in step with technology changes while introducing a unified DoD cybersecurity standard. Beginning in 2021 every company that does business with the DoD including suppliers throughout the DIB will be required to obtain CMMC certification at some level with the expectation that all active contracts will have a CMMC level requirement in place by 2026.
Companies that act now to comply with CMMC certification requirements will have many advantages over those that do not. Since all new and expiring DoD contracts will go to companies that are CMMC compliant at some level, early adopters of the new framework will have the competitive advantage of being awarded DoD contracts over others who might be slower to react to these changes. Organizations that already have a cybersecurity framework in place will find that the burden of compliance may not be out of reach as CMMC will utilize existing standards and requirements such as the NIST SP 800-171, NIST SP 800-53 and AIA NAS9933.
In addition to gaining a competitive advantage in terms of winning new business, those adopting the new requirements related to CMMC will have other rewards such as lessening the risk of financial exposure due to data breaches. Given the government’s ability to impose heavy fines on DoD contractors impacted by a data breach, those who gain this certification will find themselves with another layer of protection against such adverse threats. The new DoD certification features the enhancement of implementers receiving automatic compliance with other government regulations such as the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Modernization Act (FISMA), and Sarbanes-Oxley Act (SOX).
Knowing that the CMMC certification requirements will be imposed on all DoD contractors will actually serve to bring equality of opportunity to competitors seeking a government contract. Each DoD contract will require certification at one of the five levels of increasing maturity which will be defined in the Requests for Information (RFIs) and Requests for Proposals (RFPs) for those inquiring. According to the Office of the Under Secretary of Defense for Acquisition & Sustainment website’s CMMC FAQ’s, the costs of implementation for CMMC requirements, supporting the CMMC assessment and contracting with a third party assessment organization will be considered allowed costs, meaning reimbursement may be sought from the DoD by companies implementing CMMC.
CMMC requirements are literally changing the landscape for all companies that are contractors or sub-contractors of the DoD. The stakes are high and the time to act is now for contractors vying for new or expiring contracts related to the DIB sector of business. A qualified third-party assessment organization will need to be contracted by those who wish to become compliant. McKonly & Asbury has the tools and resources to assist any organization in adopting the requirements needed to become CMMC compliant.
About the Author
Brian joined McKonly & Asbury in 2019 and is currently a Supervisor with the firm. He is a member of the firm’s Audit and Assurance Segment, serving clients as an internal auditor, on SOX engagements, and in the firm’s System and Organization Controls (SOC) practice.