The Cybersecurity Maturity Model Certification (CMMC) is a new Department of Defense standard for implementing cybersecurity across the Defense Industrial Base. The CMMC focuses on two data types: Federal Contract Information and Controlled Unclassified Information. A CMMC certification will be required in order to be awarded and/or maintain DoD contracts.
Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
We recommend checking your contractual instruments for the following clauses:
- Federal Acquisition Regulation (FAR) 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
The DFARS interim rule was published on September 29, 2020 and became effective November 30, 2020. It established three new rules:
- DFARS 252.204-7019: Advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award.
- DFARS 252.204-7020: Requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment.
- DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements, is prescribed for use in all solicitations and contracts or task orders or delivery orders, excluding those exclusively for the acquisition of Commercial-Off-The-Shelf (COTS) items.
Under the new CMMC requirements, self-certifications will no longer be allowed.
A CMMC 3rd Party Assessment Organization (C3PAO) will schedule and coordinate with your organization to perform a certification assessment. Once the assessment is completed and if there are no deficiencies, the C3PAO will issue an appropriate CMMC certificate to your organization, which will be valid for three years.
C3PAO’s are authorized and accredited by the CMMC Accreditation Body to conduct certification assessments of Defense Industrial Base organizations.
The CMMC assessment costs depend on various factors such as CMMC level, scope, and complexity of your organization.
If you do not meet CMMC certification, you will not be awarded DoD contracts at the time of contract award.