CYBERSECURITY MATURITY MODEL CERTIFICATION
The New DoD- Contractor Compliance Mandate
October 2020 - the U.S. Government initiated sweeping acquisition change, now requiring evidence of minimum cybersecurity compliance to receive a contract award.
The Department of Defense (DoD) is the first to implement the new change as its Cybersecurity Maturity Model Certification (CMMC) program.
100% of all DoD contractors and subcontractors must obtain CMMC certification and provide evidence of compliance by FY25.
The DoD interim rule is posted in the Federal Register for review and comment: Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
CMMC Frequently Asked Questions
What is CMMC and Why Now?
CMMC is the DoD's response to increased cybersecurity failures across its Industrial Base (DIB) despite prior self-managed compliance requirements imposed on the DIB.
"In the past two years, Pentagon officials have become increasingly concerned that one of their greatest cybersecurity risks lies in the second- and third-tier contractors who work with the Defense Department and the largest defense companies." Ms. Ellen Lord, DoD Undersecretary for Acquisition & Logistics, March 2019.
Prior to CMMC, the DIB was asked to comply with, and attest that it was meeting the many controls, goals, & objectives of the National Institute of Standards and Technology (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations.
Malicious Cyber Attacks by U.S. Persons, Foreign Governments, & Non-State Cyber-Terrorists occur daily, costing the economy tens of billions of dollars every year and threaten our country's and global community's economic security.
Cyber Theft, Mishandling Materials, & Accidental Spills place our national security at risk and result in the loss of U.S. industrial & military information, innovations, & advantages.
Lack of Compliance Mandate resulted lack of compliance and a continuance and increase in cybersecurity failures.
Will I lose my current DoD contract if I don't have my CMMC certification?
No. You won't lose any current contracts awarded to your business that do not contain a CMMC requirement regardless your CMMC certification status. And, CMMC will not be retroactive, meaning that your current contracts will not be amended to add the CMMC requirement.
Does my business need CMMC certification to bid on DoD contracts?
Your business does not need its CMMC certification to bid on contracts. However, if your business bids on a contract that includes the CMMC level requirement, then your business must have its CMMC certification at the required level the time of award or your business will be disqualified. There is no forgiveness.
How long does CMMC certification take?
The CMMC Accreditation Board (CMMC-AB) estimates that it will take approximately three to six (3 - 6) months for a business to prepare for CMMC Level 3 certification. This is just an estimate and it doesn't take into account the unique requirements and dependencies that may apply to your business. Ask yourself: What is the state of our current NIST 800-171 compliance? Who within the business will support CMMC? How much time can these staff devote to CMMC daily? What do I have to budget for and for over what period of time? There are a lot more questions, of course. SoundWay can help. Let us help make this less scary and more manageable for you and your business. We'll come up with a plan and a budget that works for you.
Can I put off CMMC certification until I have a contract that requires it?
Putting off CMMC certification is RISKY. If your business bids on a contract that includes the CMMC level requirement, then your business must have its CMMC certification at the required level the time of award or your business will be disqualified. There is no forgiveness.
Additional Risk in Putting Off CMMC Certification: Something to keep in mind - there are over 300,000 businesses supporting the DoD. Most ALL of these businesses will seek CMMC certification. Only a CMMC-AB Certified C3PAOs is qualified to conduct a certification assessment, and there will be a finite number of C3PAOs. If you wait too long, even if you're business is ready for its assessment, you may lose a contract if you cannot be assessed in time.
My business is a sub-contractor; does it need CMMC certification?
Yes. Both Prime-Contractor and Sub-Contractor must have a contract's required CMMC level certification at the time of award. If a Sub-Contractor does not have the required level certification, then it cannot perform work on the awarded contract until it receives its CMMC certification at the level required by the contract. The risk: by the time your business gets its certification your Prime-Contractor may have replaced you.
How many CMMC certification levels are there?
There are five (5) CMMC Certification Levels ranging from Basic Cyber Hygiene to Advanced / Progressive Cyber Hygiene. The level your business needs will be determined by the Government contracting officer and Government client. The below figure identifies the CMMC certification levels and the number of cybersecurity practice requirements for each level.
For most businesses, CMMC compliance and certification will have a noticeable impact on the business culture and business practices. This is why SoundWay emphasizes the need to start your CMMC-certification journey sooner rather than later.
What CMMC certification level does my business need?
The level your business needs is dependent on a number of factors, but the primary factor is - what CMMC certification level does your DoD client require or has indicated it will require.
Other factors that influence the level you'll need include: What does your business do and where do they do it? Where does your business store its Controlled Unclassified Information (CUI) and its Federal Contract Information (FCI)?
Can I prepare my business for its CMMC certification assessment in-house?
Your business, any business, may choose to prepare itself for its CMMC certification assessment if it's confident that it has the in-house expertise to do so. The DoD's CMMC website provides the most recent CMMC Model used for CMMC certification assessment.
However, many businesses don't have the in-house expertise - and that's why SoundWay is here!
We can help your company determine the CMMC certification level it needs, conduct a thorough gap analysis to determine what you need to do for compliance, put together a project plan for conducting and completing the tasks needed for compliance, conduct a mock-compliance assessment for confidence, and much more. Contact SoundWay for more information on how SoundWay can help you meet your CMMC certification goal.
Can any cybersecurity company help my business prepare for CMMC certification?
The CMMC-AB Marketplace is a directory of companies that the CMMC-AB has certified as Registered Provider Organizations (RPO); companies formally recognized for their CMMC expertise & capabilities, and their ability to provide CMMC certification-preparation consulting Services. SoundWay a RPO & listed in the Marketplace. Contact SoundWay for more information on how SoundWay can help you meet your CMMC certification goal.