If You Sell to DOD, Pay Attention to CMMC

By Troy Fortune, Vice President & General Manager

You’ve probably heard that the Department of Defense (DOD) recently released the official version 1.0 of its new Cybersecurity Maturity Model Certification (CMMC 1.0).

This is one of the hottest topics in government contracting right now and immixGroup is following developments very closely. And, it will affect everyone in our industry who sells to DOD – resellers, distributors and OEMs. 

As a quick refresher, this is a cybersecurity standard that all contractors must meet if they want to do business with DOD. As we’ve discussed before in a previous blog, the standards themselves are taken from existing ones. With CMMC 1.0, we now have more clarity on what the 5 levels of CMMC entail:

Level 1: Basic safeguarding of federal contract information
Level 2: Transition step to protect controlled unclassified information (CUI)
Level 3: Protecting CUI
Levels 4-5: Protecting CUI and reducing risk of Advanced Persistent Threats (APTs)

It’s important to note that Levels 2-5 contain practices not captured in NIST 800-171. DOD plans for a gradual rollout with 10 RFIs and 10 RFPs scheduled for this fiscal year (October to September) that incorporate CMMC. The number of contracts with CMMC requirements will increase in ensuing years:

• 75 contracts including CMMC by FY22 (i.e. by Oct 2021)
• 250 contracts by FY23
• 479 contracts by FY24

The goal is to have all contracts covered by CMMC by FY26.

How do I get CMMC certified?

DOD is training auditing firms, or CMMC third-party assessment organizations (C3PAOs), that will oversee certifying contracting companies. This training is expected to run through June.

Once up and running, anyone wanting to do business with DOD will be able to apply for certification through a marketplace portal run by the accreditation body. CMMC certification will be good for three years and with it you will be able to bid on contracts across DOD and the military services.

What are my next steps?

As we mentioned in a recent blog on how to prepare for CMMC, make sure your house is in order. Starting on page 10 of the CMMC 1.0 main document you’ll find detail on the practices for each level. Map those against your current security posture and identify the gaps.

Make sure your suppliers and partners are aware of CMMC because these requirements will apply to every link in the DOD supply chain.

View the on-demand CMMC webinar recorded March 5 for additional insight into the DOD’s latest announcement.

To keep on top of the latest IT trends, subscribe to immixGroup’s Government Sales Insider blog today.