CMMC and DoD Contractors
7 October 2020


CMMC and what it means for DoD Contractors

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC gives the department a mechanism to certify the cyber readiness of the largest defense contractors — those at the top who win contracts are called “primes” — as well as the smaller businesses that subcontract with the primes. CMMC mostly deals with Controlled Unclassified Information (CUI) which is not classified information.

The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

Model Source Counts

The model leverages multiple sources and references:
– CMMC Level 1 only addresses practices from FAR Clause 52.204-21
– CMMC Level 3 includes all of the practices from NIST SP 800-171r1 as well as others
– CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-171B plus others
– Additional sources, such as the UK Cyber Essentials and Australia Cyber Security Centre Essential Eight Maturity Model, were also considered and are referenced in the model

What does it mean for defense contractors?

Currently, organizations have to ‘self-certify’ that they meet NIST SP 800-171 controls in order to bid on federal/DoD contracts that contains CUI.

Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.

In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

As of June of 2020, the DoD published as many as 10 requests for information on contracts that included CMMC requirements, Ellen M. Lord said during a Pentagon news conference announcing the certification effort. By September, she said, the department will also publish corresponding requests for proposals that include those requirements. By fiscal year 2026, all new DOD contracts will contain the CMMC requirements, Lord said.

No existing contracts with the department will have CMMC requirements inserted into them. The new CMMC provides for five levels of certification in both cybersecurity practices and processes.

“Something … simple in Level 1 would be, ‘Does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords?'” said Katie Arrington, DOD’s chief information security officer for acquisition. “CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company and your own information.”

“Eventually CMMC will translate in to civilian and non-defense federal contractors. This will be the new Cybersecurity standard that Federal Agencies adopt in the near future” said Sri Achary, a Cybersecurity expert with Custom Cybersecurity Solutions based in Los Angeles, California.

How do companies prepare to bid for DoD and Federal Contracts that require CMMC?

The CMMC Accreditation Body (CMMC-AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

Organizations that are interested in bidding for DoD and federal contracts should start preparing for CMMC now. The CMMC-AB will start listing Assessors and Practitioners in their marketplace. There are some clarifications provided in CMMC Model Appendices for each control.

What is CUI and FOUO, and how can my organization prepare for it?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding. FOUO, which stands for ‘For Official Use Only’, is a document designation used by the DoD.

The contracting government agency (DoD) provides guidance on specific CUI data upon contract award. With that guidance, a data classification software can help identify and label CUIs. Getvisibility provides some of the Artificial Intelligence (AI) tools to identify, classify, and label CUIs to meet CMMC standards.

Those organizations that start preparing for CMMC levels now will get an advantage to bid for any contractors that require CMMC. Preparing for CMMC levels and getting ready for an Assessment takes some time. DoD is already including CMMC requirements in their contracts now. CMMC Level 3 is the most common level and will qualify for most of the federal contracts for small and medium sized businesses.

Speak to one of our experts