Blog

CMMC Compliance for DoD Contractors—What You Need To Know

October 16, 2021

If you’re a company that sells into the Department of Defence, as many companies in the DMV do, you probably are already aware of the Cybersecurity Maturity Model Certification (CMMC).

Most people get overwhelmed when they first find out about the CMMC and what it will take for their organization to be compliant. We can’t blame them—the CMMC Level 3 Assessment Guide is a 430-page long PDF document!

This is why our experienced team of IT consultants in the DMV has put together this introductory guide that will break down the CMMC.

What Is CMMC Compliance?

The Cybersecurity Maturity Model Certification is the latest set of cybersecurity guidelines for companies that wish to bid for DoD contracts. These guidelines are not voluntary, and all companies with current contracts will need to get certified if they wish to renew their contracts or apply for new ones.

These guidelines were designed to prevent cyberattacks from terrorist organizations, as well as to prevent data breaches of personal and confidential information. Just as recently as 2018, the Pentagon suffered from a data breach that jeopardized the information of 30,000 DoD employees.

Thus, the DoD is taking cybersecurity very seriously and requiring almost every single contractor to obtain this certification.

How Do I Know If I Need To Be CMMC Certified?

Almost every single DoD contractor will be required to attain one of the three levels of the CMMC certification.

The only companies exempt from the CMMC requirement are those whose products or services are not modified to suit the DoD’s needs in any way. These products are generally referred to as commercial off-the-shelf (COTS) products.

Everyone else will require one of the three maturity levels from the CMMC.

Maturity Levels of the CMMC

The CMMC is comprised of three levels:

  1. Level 1.- Contractors receiving Federal Contract Information (FDI) must reach Level 1.
  2. Level 2.- Contractors who do not currently have Controlled Unclassified Information (CUI) but wish to apply for contracts that involve it.
  3. Level 3.- All contractors receiving any CUI will need to reach Level 3.

What Is The Deadline For Becoming CMMC Compliant?

The deadline for becoming CMMC compliant was supposed to be September 2021 but has been pushed back due to Covid-19. As of October 2021, no companies are currently certified as the DoD has yet to begin the CMMC assessments.

While there is no due date yet, we know the assessments are likely to begin in late 2021. If your company or organization is planning to apply for DoD contracts in the future, we recommend that you start preparing for the imminent CMMC assessments as soon as possible.

CMMC Compliance Checklist

Contractors are welcome to become CMMC compliant with their internal team or they may choose to hire an experienced IT services company for help with certification.

Please follow this essential CMMC compliance checklist to make sure your organization is good to go:

  • Determine Maturity Level. The first step to completing the CMMC certification is knowing what level you will need. You can see our breakdown of the three levels in the section above.
  • Scope out where FDI and CUI exist. Look at your supply chains and identify who has access to what information. Use the Unified Scoping Guide for reference.
  • Build a secure environment for data. If you are using cloud storage, make sure it is compliant with DFARS 7012.
  • Provide evidence that your company meets its respective controls. If your company is seeking Level 1 certification, it needs to meet 17 controls. For Level 2, the number jumps to 130 controls.
  • Hire a CMMC accreditation company to do a mock assessment. This will show you any gaps you may have in your certification process.

Leave a Reply