The Federal government began phasing CMMC requirements into new contracts in 2020. By 2026, nearly all new federal contracts will include CMMC requirements. Here’s what you need to know to prepare.
The U.S. Department of Defense (DoD) Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment is implementing the CMMC as a mechanism to help protect DoD intellectual property and sensitive information from cyber security events against prime and sub-contractors. Focusing on the security and resiliency of the DoD’s external supply chain, including members of the Defense Industrial Base (DIB), the CMMC introduces leveling requirements for the domains, practices, and procedures organizations must have certified by a third party assessor in order to compete for most DoD contracts. AWS enables defense contractors to create CMMC-compliant environments to process, maintain, and store DoD data.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification.” The CMMC encompasses multiple maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” Each maturity level includes progressively more demanding process and practice requirements to achieve the certification. DoD contracts will define the required CMMC levels; Level 1 – safeguard Federal Contract Information (FCI), Level 2 – transition to protect Controlled Unclassified Information (CUI), Level 3 – protect CUI, and Levels 4 and 5 – protect CUI and reduce risk of Advanced Persistent Threats (APTs).
Why is CMMC being implemented?
The DoD is transitioning to the new CMMC framework to protect against the theft of DoD sensitive information and intellectual property. The CMMC framework will assess and enhance the cybersecurity of the Defense Industrial Base (DIB) supply chain and verify that appropriate cybersecurity practices and processes are in place.
Who needs to be CMMC certified?
The DoD estimates that more than 300,000 DIB organizations will require assessment and certification to one of the five CMMC levels. This includes prime contractors, subcontractors, and generally all organizations that sell or service the DoD. CMMC level requirements will be issued individually by DoD contract.
When is the DoD implementing the CMMC requirement?
The DoD will incrementally phase in CMMC requirements on DoD request for proposals (RFPs) and contracts beginning in April 2021, with full implementation targeted for 2026. DoD has identified 15 initial acquisitions, referred to as Pilots, to participate in the initial CMMC rollout. Over the next five years CMMC requirements will be included in new DoD contracts at an increasing rate, with nearly all new DoD contracts including CMMC requirements by 2026.
How does my organization get certified?
DoD created the CMMC Advisory Board (CMMC-AB) to be an independent organization that is responsible for administering the CMMC certification process for C3PAO, assessors, and DIB entities. C3PAO assessors will assess organizations using the CMMC levels as criteria. The Defense Contract Management Agency (DCMA) announced their intent to certify C3PAOs as CMMC Level 3 certified beginning in March 2021. The CMMC-AB maintains a CMMC Marketplace that identifies C3PAOs at https://cmmcab.org/marketplace/.
Visit the CMMC website to learn more.