Are you ready for CMMC? Neither are we! But we are working on it! CMMC stands for Cybersecurity Maturity Model Certification. And although this certification doesn’t yet exist, the Office of the Under Secretary of Defense for Acquisition and Sustainment tells us it’s coming. And it’s supposed to be here by June. What this means is that if you hope to bid directly on any work for the DoD later this year, your bid may well be eliminated if you do not provide proof of your certification. Even worse, you can’t be a subcontractor to a Defense prime without it. The objective is the protection of controlled unclassified information (CUI) within the supply chain. Now, if you already have DoD contracts, they most likely include the DFARS clause requiring compliance with NIST 800-171. And you probably assured them that you do comply by putting together your own document that says that you do. Well, now a third party needs to agree that you comply; and will give you a certificate to prove it. So, what is CMMC? In the words of OUSD:
- The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- The intent is for certified independent third-party organizations to conduct audits and inform risk.
So, how can your company prepare? You might want to do what we’re doing. We are reviewing our existing compliance statement to make sure it’s up to date. We’re monitoring the progression of this program by attending seminars and getting email updates. We’re speaking to organizations that are in the know, including the Michigan Manufacturing Technology Center and the National Science Foundation. And we’re notifying our subcontractors to get on the bandwagon, if they hope to subcontract to us in the future. In fact, that’s one of the bonuses of the CMMC. We will no longer have to vouch for the DFARS compliance of our subs. They will be certified separately, lowering our risk for a flow-down security risk.
If you are a contractor to the DoD, or are planning to be one, you’ll want to get on this now. But even if you’re not, but you contract with other Federal Government agencies, you may still want to get on this. Because word is, other agencies are looking over the shoulder of the DoD to see how this all works out. But you don’t have to take my word for it. Here are a few websites where you can learn more for yourself:
https://www.acq.osd.mil/cmmc/index.html
https://go.pardot.com/l/129231/2019-11-11/342j6s
https://economicgrowth.umich.edu/defense-cybersecurity-assurance-program/
Stay safe!