Tips for Preparing for DOD’s New CMMC

By Hollie Kapos, Corporate Counsel

The Cybersecurity Maturity Model Certification (CMMC) has been one of the hottest topics in government contracting this year. In fact, one of my colleagues addressed the topic in a blog on DOD and CMMC just a few months ago.

And no wonder everyone’s talking about it – it applies to ALL companies doing business with DOD, including OEMs, distributors and resellers. Here’s some basic information to help you prepare no matter where you are in the supply chain.

What is CMMC?

Intellectual property theft and cybercrime cost the United States billions of dollars and threatens national security. In order to protect government information from theft and other malicious cyber activity, DOD is making cybersecurity an acquisition foundation. Accordingly, DOD is developing the Cybersecurity Maturity Model Certification – a certification process to measure a company’s ability to protect sensitive government data.

CMMC will have 5 maturity levels, with basic cybersecurity hygiene at a level 1 to very robust requirements at a level 5. Requirements for Levels 1-3 are included in the latest draft of CMMC (Version 0.6 released Nov. 7, 2019). At this time, a Level 3 certification maps very closely to the NIST 800-171 controls currently required under DFARS 252.204-7012.  Levels 4-5 will be addressed in the next public release. The CMMC level requirement will eventually be incorporated in all DOD solicitations and will be a go, no-go factor for contract award.

Who will need certification?

All companies doing business with DOD, including all subcontractors in the government’s supply chain will need to obtain third-party certification. There are no exemptions for COTS or commercial items. However, the level of certification required for a given procurement will be based upon the amount of government information to be handled by contractors or subcontractors.

When is it going into effect?

The final version is expected to be released in January 2020. In June 2020, CMMC levels will appear in RFIs and certification will be required to bid on RFPs as early as September 2020. At least, that’s DoD’s expectation. It’s estimated that around 300,000 contractors will seek certification. If independent, third-party auditors begin assessments as soon as January 1, 2020, they would need to review over 1,100 contractors per day (including holidays and weekends) to complete review by the end of September.

How can my company prepare?

  • Start assessing your controls now. Model Version 0.6 provides the current requirements for Levels 1-3. Identify which requirements you currently meet and any gaps you may have for each Level. This can take a significant amount of time, so don’t wait!
  • Plan which gaps to fill. Do you at least meet Level 1? If not, consider what it will take to get there within the next year or risk losing out on DOD business. Maybe you meet all Level 1 requirements, but how much would it take to get to Level 2 in terms of time, cost, and effort.  What about Level 3?
  • Speaking of costs, keep track of them. DOD says compliance costs will be allowable on time and materials and cost-plus contracts. Unfortunately, commercial-item contractors conducting business on a firm-fixed price basis will not be able to recover costs. However, DoD has said it will make funds available to assist small businesses with compliance.
  • Prepare to capture supply chain data. When a solicitation is released, you’ll want to know who in your supply chain can support a proposal. Consider how you will collect OEM, distributor, and reseller CMMC Levels. DOD says this information will be public – will you gather information from the public listing or query your supply chain via more formal reps and certs? Also, consider how to store the data you collect. If your supply chain ecosystem is small, a simple spreadsheet might be sufficient. But if you have hundreds of partners and suppliers, you might need a new field in your CRM solution to capture CMMC Levels.
  • Stay tuned. Keep an eye out for the next version release and additional information from DOD. We’ll also post updates on the immixGroup blog.
Keep up to date on the latest IT trends in government. Subscribe to immixGroup’s Government Sales Insider blog.
View the recent panel discussion I moderated at the 2019 Government IT Sales Summit where we discussed CMMC – GSA and the Evolution of Government Contracts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: