CMMC: What DOD Contractors Need to Know

These four letters have become a heightened topic of conversation among industry professionals since being announced in early 2019.

Standing for Cybersecurity Maturity Model Certification, CMMC is a standard for verifying the implementation of cybersecurity across the Defense Industrial Base.

The days of performing self-assessment on your cybersecurity in order to assure other contractors that your cybersecurity is up to snuff in order to be included on a project are over.

Now, with CMMC, there is a stringent third-party compliance audit and certification that must take place in order to qualify as a sub-contractor for a DOD contract.

The CMMC is set up in a way that there are five levels an organization can qualify for. Each level consists of practices and processes as well those specified in the lower levels, which are based on the information/data being handled.

With the introduction of the DFARS Interim Rule (which should become a final rule this Fall), contractors of the DOD who are subject to DFARS, must perform a self-assessment of their NIST SP 800-171 implementation progress, and enter their score into the Supplier Performance Risk System (SPRS).

They also must be prepared for an independent medium or high DIBCAC assessment from DCMA.

Technically, these two new requirements have nothing to do with CMMC. It’s serving as a bridge of sorts, so cybersecurity posture within the DIB continues to go forward, as CMMC continues to evolve.

It’s expected that CMMC Level 1 certifications will be available in the first half of 2022.

CMMC Level 1, which contains 17 requirements, is designed to safeguard Federal Contract Information. According to the Cybersecurity Maturity Model Certification Version 1.02 document dated March 18, 2020, Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

The DoD’s goal is to have every new contract solicitation to have a CMMC level requirement within it, by January 2025.

Now that we’re in the middle of 2021, if you haven’t begun the process of meeting requirements and scheduling a diligent compliance review with an experienced 3rd party, you are behind.

Only approved and authorized Certified 3rd Party Assessment Organizations (C3PAOs) listed on the CMMC-Accreditation Body (AB) Marketplace website can conduct CMMC certification assessments.

Approved C3PAOs must pass their own rigorous DIBCAC assessment, in order to be authorized to conduct CMMC Certification Assessments.

Make sure you’re working with someone who has the experience to help you prepare correctly!

At WB Industries, we are proud to be part of a process that will enhance national security, and we are eager to begin receiving our CMMC certifications as they become available.