What is CMMC?

By Jeff Ellinport, Division Counsel

Although CMMC has been around for more than a year, it never hurts to review what it is and why those who sell into DOD and the rest of the federal government should care.

CMMC stands for Cybersecurity Maturity Model Certification and is a new certification process to measure a company’s ability to protect sensitive government data. It is a unified standard for implementing cybersecurity across the defense industrial base. CMMC is a way for DOD — and soon after, probably civilian agencies as well — to address intellectual property theft, cybercrime and national security threats of the type evidenced by the recent SolarWinds attack.

Once fully implemented, CMMC will be an acquisition foundation, required for almost every contractor transacting business with the U.S. government.

CMMC Maturity Levels

CMMC has five maturity levels, with basic cybersecurity hygiene at a Level 1 to very robust requirements at a Level 5. These certification levels reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels build upon each other’s technical requirements such that each level requires compliance with the lower-level requirements and then implementation and documentation of additional processes employing more rigorous cybersecurity practices.

CMMC will eventually require almost all government contractors doing business with the Department of Defense to be independently certified by a third party (called “C3PAOs”) as meeting one of these levels. The requirement will flow through and apply to every link in the government’s supply chain – including OEMs, distributors and resellers. However, CMMC certification will not be required for companies that only provide commercial off-the-shelf (COTS) items. (See our previous blog that discusses whether the COTS exemption applies to you.)

The good news is that although CMMC was first introduced in the summer of 2019, the roll out has and will continue to be gradual, with full compliance (i.e., by every federal contractor) not expected until fiscal year 2026.

1,500 Accreditations Expected by September

This year, DOD plans on rolling out 15 prime contracts to include the CMMC requirement and scales up gradually, with 479 contracts in both fiscal year 2024 and 2025. Those plans forecast up to approximately 100 unique sub-contractors on each prime contract, meaning the expectation is to have 1,500 CMMC accredited contractors by the end of fiscal year 2021 (September 30). However, the majority of these are expected to only require a Level 1 certification.

DOD published the formal Interim Rule on September 29, 2020 with an effective date of November 30, 2020, which added the widely anticipated new DFARS clause for inclusion in DOD contracts implementing CMMC: 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement) but included some additional requirements as well. For a more detailed analysis and discussion of CMMC and the Interim Rule’s requirements, you can view my colleague, Hollie Kapos’ blog, “CMMC Interim Rule Includes New Compliance Requirements.”

Keep on top of the latest IT trends in government. Subscribe to immixGroup’s Government Sales Insider blog now!

To learn more about immixGroup federal contracts, visit our contracts webpage.