Are you a government contractor? Have you heard some rumblings about something called CMMC and wondered what the government has in store for future compliance? You’re not alone. We here to help with a short FAQ about the Defense Department’s new plan to mature contractor cybersecurity standards.

What does CMMC stand for?
CMMC stands for Cybersecurity Maturity Model Certification. It requires government contractors to achieve one of five levels of certification in order to bid for specific contracts.

Does it affect me or my company?
If you currently have government contracts, you will most definitely be affected. The government will determine the appropriate level to categorize the contracts they administer (i.e., not everything will require a Level 5 certification in order to bid). The required CMMC level will be addressed in sections L & M of the Request for Proposals (RFP), making cybersecurity an “allowable cost” in DoD contracts.

What if my company is a sub contractor? Does it still affect me?
Yes, all companies doing business with the Department of Defense will need to obtain a CMMC level. Once you complete the certification, your certification level will be made public, however, details regarding specific findings will not be publically accessible. The DoD will be able to see your certification level.

How do I get certified?
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of certification requested based on the organization’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the associated maturity in capabilities and organizational policy to the satisfaction of the assessor and certifier.

Why now?
There has been an increased number of cyber attacks on government agencies, defense contractors and high-tech companies. Some of these crimes result in losses of more than a $1 million. As we spend money on research and development, adversaries are stealing and using our information at a much lower cost to them. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The department is committed to working with the Defense Industrial Base (DIB) to enhance the protection of controlled unclassified information (CUI) within the supply chain. OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the CMMC.

What has OUSD(A&S) provided the community so far?
In late August the draft CMMC framework rev 0.4 was released with requests for feedback from the community. They compiled that feedback and in early November released version 0.6. The official version 1.0 of the CMMC framework will be available in January 2020 to support training requirements before auditing begins. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information.