Cybersecurity Requirements Are Changing for Defense Contractors. Is Your Organization Ready for CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a new framework developed by the U.S. Department of War (DoW) to better protect sensitive information between the DoW and the Defense Industrial Base (DIB). It is designed to ensure that all contractors (including subcontractors and subrecipients) working with the DoW have strong cybersecurity practices in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Why Is CMMC Important?
Cyberattacks have cost the U.S. and global economies hundreds of billions of dollars. Over 300,000 DIB companies that help support the U.S. military have been targeted. When the FCI and CUI that is shared between them is compromised, it puts national security and the military advantage at risk.
What Does CMMC Include?
CMMC has different levels of requirements that contractors and subcontractors must meet based on the type of information they handle. Some will need to meet only basic standards, while others will need a more advanced certification depending on the sensitivity of their work. It builds on existing federal requirements, including:
Basic protections for FCI under FAR Clause 52.204-21
Stronger protections for CUI under NIST SP 800-171 and DFARS Clause 252.204-7012
source: https://dodcio.defense.gov/
What Does It Mean for Contractors?
Any organization that does business with the DoW as a prime contractor or subcontractor to a prime must be CMMC-certified to show it can properly safeguard sensitive information. Even if you already hold a DoW contract(s) or subcontract(s), you will need to obtain a CMMC to win new work or renew existing contracts once CMMC requirements are in place. Without it, you may not be eligible for certain contracts or subcontracts(s). It's important to start preparing now by assessing current cybersecurity practices and closing any gaps.
How Do I Find Out What Level of Certification My Organization Needs to Obtain?
The required CMMC level will be specified in each DoW contract or subcontract. To determine what level your organization needs:
Review your contracts to see whether you handle FCI or CUI
Consult with your contracting officer or prime contractor for clarification
Check Requests for Proposals (RFPs) for the required CMMC level
Assess your environment: If you only manage basic contract info, Level 1 may be enough; if you store or process sensitive technical data, Level 2 (or eventually Level 3) may be required
When Will It Take Effect?
CMMC is being rolled out in phases. It is expected to be fully required in DoW contracts by 2026, but contractors and subcontractors should begin preparing now to meet the necessary standards and avoid losing future opportunities. For questions or additional information, feel free to contact us at CMMC@cyber.org.