CMMC

Cybersecurity Maturity Model Certification

What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. CMMC is a unifying standard for implementing cybersecurity controls across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of the cybersecurity maturity level. In other words, your company must pass an assessment by a certified CMMC assessor to attain a specific level of maturity.

CMMC is designed to provide increased assurance to the Department of Defense that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. 

The DoD is currently revising the program and will issue interim guidance in May 2023 with final implementation 60 days after publication. Once issued, CMMC compliance will be mandatory for all new DoD contracts and all current contracts at time of renewal.

Why CMMC is important

The DoD will enforce CMMC compliance upon issuance of their final rule. DIB suppliers will be required to pass regular assessments certifying compliance with their target level of cybersecurity maturity.  Suppliers are free to bid on contracts requiring any level of maturity, however only those companies certified at or above the level of CMMC required for that contract will be qualified for the contract award.

Existing contracts will be impacted. In order to continue providing services to the DIB, all current contracts will need to meet current CMMC requirements in effect at time of renewal. Our assessment team will review your organization against its target maturity level, and will produce a report of confidential recommendations that we will review with you to identify any gaps or deficiencies and develop appropriate remediation for mitigation strategies. CMMC Auditors are required to report their results to the DoD; thus it is crucial that a thorough risk assessment is conducted and that any findings are remediated prior to a formal CMMC assessment.

Why compliance is required

The Department of Defense is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector (including parts and services suppliers). The CMMC is intended to serve as a verification mechanism to ensure that the DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

The DoD intends that all DIB suppliers be certified to a specific level of maturity over the next few years. Suppliers unable to pass certification at or above the CMMC maturity level required for that bid will no longer be awarded DoD contracts.

The Risk of Self-Attestation

In October 2021, the U.S. Department of Justice announced their new Civil Cyber-Fraud Initiative. Under this initiative, the DOJ will pursue liabilities against government contractors. As a result, all current and prior self assessment attestations are subject to audit and any undue findings may be reported as fraud to the Department of Justice under the Federal False Claims Act (FCA). In addition to allowing the United States to pursue perpetrators of fraud on its own, the FCA allows private citizens to file suits on behalf of the government.

Click here to learn more about the U.S. DOJ's Civil Cyber-Fraud Initiative.

Need help with your cybersecurity compliance?

Our experts helped write the CMMC policy. Contact us for a free CMMC plan overview and let's assess your situation together.