In November 2021, the U.S. Department of Defense (DoD) announced changes to the CMMC model, branded as CMMC 2.0. Many of the requirements remain the same, however we urge you to refer to our detailed overview highlighting five key changes of CMMC 2.0 and their impacts to your organization.
The Department of Defense (DoD) introduced Cybersecurity Maturity Model Certification (CMMC) in early 2020 to standardize how contractors protect government information. While CMMC builds upon existing regulations, including Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and NIST SP 800-171, the “certification” part is new and will require prime contractors and subcontractors be certified by third-party assessors.
Organizations have plenty of questions about who needs certification, how long the process will take, what level of certification they will need and, most importantly, when will they be able to start the assessment process. Baker Tilly’s IT risk and cybersecurity practice recently hosted a CMMC readiness webinar series to help answer these questions.
In part one, Understanding CMMC and the implications for DoD contractors, Matt Gilbert, principal, and Mike Cullen, director, discussed the basics of the certification and what organizations needed to know to prepare. In part two, Navigating the CMMC assessment, Gilbert interviewed Jeff Dalton, CMMC-AB board member and chair of its accreditation and credentialing committee, who gave a status report on when organizations may expect assessments and how long it may take.
The DoD launched the CMMC to ensure all contractors supporting the defense industrial base had proper cybersecurity in place. If the DoD is sharing either federal contractor information (FCI) or controlled unclassified information (CUI) with an organization, that organization will have a responsibility to protect that data. The CMMC certification makes certain the right protections are in place, and
