The Cybersecurity Maturity Model Certification, or CMMC, has become an increasing hot topic in the government contracting industry. What is CMMC, does it apply to your company, and what do you need to know about the certification? The high-level overview below will help get you up to speed on CMMC.
What is CMMC?
Cybersecurity Maturity Model Certification establishes and verifies that companies within the Defense Industrial Base (DIB) are implementing cybersecurity measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
The CMMC Accreditation Body (CMMC-AB) will authorize and accredit CMMC Third Party Assessment Organizations (C3PAOs). Contractors that are required to meet CMMC requirements will select a C3PAO to conduct an assessment, and if the assessment report does not reveal any deficiencies, the C3PAO will issue the contractor the appropriate CMMC certificate.
It is important to emphasize, Cybersecurity Maturity Model Certification assessments can only be conducted by C3PAOs that are authorized and accredited by the CMMC-AB and listed on the CMMC-AB Marketplace. Knowing this will help prevent contractors from falling victim to CMMC related scams that have already been reported.
Who Does CMMC Impact?
CMMC impacts companies that do business with the Department of Defense (DOD), including subcontractors. There is an exception, however, for companies that only produce Commercial-Off-The-Shelf (COTS) products are exempt from CMMC requirements.
We should note, in the beginning stages, pursuing a DOD contract does not necessarily mean your company is required to meet CMMC requirements. DOD is taking a phased approach to implementing the program. According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, no more than 15 new prime acquisitions will include the CMMC requirement in fiscal year 2021. That number is set to increase steadily through fiscal year 2025.
CMMC and GSA
At this time, the intent is for CMMC to be implemented within DOD contracts only. However, as FCW and FedScoop have reported, GSA has recently included CMMC language in two of their Governmentwide Acquisition Contracts (GWACs), STARS III and Polaris. According to GSA’s Federal Marketplace Strategy Release, the ASTRO solicitation will offer selected vendors the opportunity to undergo a trial third party assessment to gage readiness for any future CMMC requirement.
Two Important Notes on GSA’s Use of CMMC Language:
- CMMC requirements for STARS III and Polaris would be at the order level
- GWACS, including STARS and Polaris, are not part of the GSA Multiple Award Schedule (MAS) Contract
Full FAQ
Above, we provided a highly simplified overview of the Cybersecurity Maturity Model Certification. For more information and to review the full FAQ, visit the Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC page here.
Additional Reading
- FCW | CMMC reciprocity in sight for 2021
- Federal News Network | CMMC: ‘Changing culture one company at a time’
- Federal News Network | CMMC update: Pilots, 3PAOs and more of what vendors need to know
- FedScoop | For contractors seeking CMMC certification, start with a self-check, DOD says
- FedScoop | CMMC model tweaks coming after industry feedback