At this point, especially if you ever have contracted or subcontracted with the Federal government, you have probably at least heard the letters CMMC thrown about. There may have even been a twinge of trepidation surrounding the letters. But what do these letters actually mean and why should you even care? Over the next few months we would like to help demystify these ominous letters and bring about a better understanding of the surrounding what, why, and how.
The government loves their acronyms and initialisms, and this new regulation is no different. CMMC stands for Cybersecurity Maturity Model Certification, and it is designed to be a system to help insure the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) with any company that is a part of a Department of Defense (DoD) contract.
The start of all of this can probably be traced back to the Federal Information Security Management Act (FISMA) from 2002. FISMA requires “every federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.” This would be updated in 2014, around the same time the DoD implemented Defense Federal Acquisition Regulation Supplemental (DFARS) rule 7000.
DFARS rules required that all DoD contractors perform self assessments according to the National Institute of Standards and Technology (NIST) SP 800-171 standard. While these rules technically applied to all contracts, there was no system in place to ensure that anyone was actually meeting the standard, so a system to certify contracts was created. DFARS Case 2019-D041 was published in 2020, and CMMC 1.0 was born. This initial program had five levels, was complicated, and differed somewhat from previous DFARS requirements. It only took about one year, with public feedback, for the DoD to update the requirements to CMMC 2.0. This update simplified the certification levels to three, and aligned the standards to NIST 800-171 and 172.
That brings us to where we are today. The comment period for CMMC 2.0 was earlier this year, and the DoD is currently in the rulemaking process. It is expected that the requirements will be made official early next year, with a phase in period to follow. You will start seeing DoD contracts being published with a required CMMC level to be able to bid on the contract.
So why does all of this matter? Ultimately, if you want to have a DoD contract, or be part of one under a prime, you will have to meet some level of this certification. But there is the additional benefit of increasing your security posture overall, and helping to protect your company from cyber threats.
Recent Comments