The Cybersecurity Maturity Model Certification is a new requirement for DoD contractors and subcontractors. It brings together a number of older cybersecurity requirements to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
There are two major differences between the CMMC and older cybersecurity requirements:
- First, contractors will be audited by third-party assessors (the so-called Certified 3rd Party Assessment Organizations, or C3PAOs for short) based on the requested audit level, the C3PAO will determine if the contractor passes or fails the audit. In other words, the CMMC will not contain any self-attestation component, although contractors are encouraged to complete a self-assessment prior to scheduling a CMMC certification.
- Second, the CMMC defines five certification levels as a more flexible alternative to previous one-size-fits-all approaches. It’s up to contractors to pass an audit at the level specified in Requests For Information (RFIs) and Requests for Proposals (RFPs).
The first full version of the CMMC was published on the website of the Office of the Under Secretary of Defense for Acquisition & Sustainment in January 2020, and all DoD contractors should expect to start seeing CMMC requirements as part of the RFP process from September 2020.
Only contractors that provide commercial off-the-shelf products and don’t handle any CUI won’t be required to achieve one of the five levels of certification.
The most important CMMC dates you need to be aware of include:
- January 2020: The introduction of CMMC Version 1.0.
- June 2020: The release of requirements and the opening of registration for C3PAOs.
- September 2020: DoD starts incorporating CMMC requirements in RFPs.
- 2021 – 2025: The implementation of the CMMC through a phased rollout.
- 2026: CMMC certification will become a requirement for all contractors doing business with the DoD.
Waiting until the due date to get your CMMC certification can lead to numerous missed opportunities. Those who have their CMMC now have the benefit of already meeting CMMC standards, proving to the DoD and those sourcing government contractors that you are already aligned with their goals and objectives. Build trust now so that your reputation is established long in advance of the 2026 deadline. Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is happy to talk through the steps your particular company should take in the CMMC process, or get started on your certification.