CMMC for DoD Contractors: Avoid Being Left Behind

CMMC – Don’t Get Left Behind

Cybersecurity Maturity Model Certification (“CMMC”) is a cybersecurity requirement that is coming down through the U.S. Department of Defense (“DoD”), and it will ultimately affect all suppliers throughout all the tiers in the supply chain for DoD contracts.

In this episode we host Scott Dawson, President of Core Business Solutions, discussing the new cybersecurity requirements for large primes through small business subcontractors; anywhere that information is being exchanged or contracts are being put in place to support defense contracts.

To safeguard sensitive national security information, the DoD launched CMMC as a three level set of practices to protect the defense industrial base’s sensitive information from frequent and increasingly complex cyberattacks. 

Federal Contract Information (“FCI”) is protected by CMMC Level 1 and Controlled Unclassified Information (“CUI”) is protected by CMMC Level 2. CMMC Level 3 exists to protect highly sensitive CUI.

While companies should already have cybersecurity protections in place as a matter of good business practice, CMMC a formal compliance process based on self-assessments (Level 1 and lower-priority Level 2), third-party assessments (higher-priority Level 2), and government assessments (Level 3). Without this certification, companies will be ineligible for work on DoD projects.

CMMC is a DoD requirement, but it has not yet been integrated into contracts. However, companies should be aware that this will soon be part of the terms and conditions of all DoD and related contracts. In order to be awarded future contracts, companies will need to employ several information security solutions and put formal cybersecurity policies into place that drive action for their organizations and require technical and organizational upgrades.

The rapidly approaching deadline for implementation means that defense industry contractors and subcontractors can’t wait to get started. The formal CMMC regulations should be finalized by March 2023 with the requirements beginning to appear in contracts in May 2023. It is estimated this may impact as many as 300,000 companies doing business with the DoD.

The requirements for CMMC originate from the National Institute of Standards and Technology at the U.S. Department of Commerce, commonly referred to as “NIST.” NIST SP800-171 is a codification of the requirements that any non-federal computer system must follow in order to store, process, or transmit CUI or provide security protection for such systems.

Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect CUI included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (“GSA”), NASA or other federal or state agencies’ supply chain, the implementation of the security measures included in NIST SP 800-171 is required.

It’s important for companies to get started now with a self-assessment to determine where you stand in regard to the CMMC requirements and begin an implementation strategy. This self-assessment is then delivered to the DoD Supplier Performance Rating System (“SPuRS”). SPuRS tracks all suppliers’ performance, past performance in contracts, and quality scores. It has now added a cybersecurity score to ensure CMMC compliance and eligibility to participate in defense contracts.

Don’t get left behind! It’s important to gain an understanding of and get training in the CMMC requirements no matter the size of your business. Most small businesses don’t have a depth of IT resources or cybersecurity experts, but there are outside experts that can help guide you through this process. Attached is a guide called CMMC in a Small Business.

FedBiz Access (“FedBiz”) has a fulfillment team that takes the time to understand your business and ask questions to ensure you have a solid engagement plan. FedBiz is a leading government contracting business development and marketing firm that offers research and engagement strategy coaching, registrations, set-aside certifications, and GSA Schedules.

FedBiz has over 22 years of experience working with thousands of companies worldwide to help them win over $35.7 billion in awards. From registration to award, FedBiz helps businesses succeed in the government marketplace.