Cybersecurity Maturity Model Certification (CMMC) raises the bar for contractors

The United States Department of Defense (DoD) will require organizations conducting business with the DoD (i.e., defense contractors) to obtain a Cybersecurity Maturity Model Certification (CMMC) involving verification from an independent assessor. This is expected to have an impact across the Defense Industrial Base (DIB). What can contractors do now to prepare their organizations to meet these new requirements?

Depending upon the CMMC maturity level required, implementation and certification of cybersecurity controls may require a time-consuming commitment of resources, both in terms of people and funding. This heightens the urgency for acting now rather than waiting. Consider addressing your CMMC challenges in a pragmatic way by leveraging Baker Tilly’s relevant expertise.

Introduction

The rollout of CMMC is a major development in the cybersecurity regulatory landscape and will have significant impacts on defense contractors of all sizes. With the release of this model, in order to conduct business with the DoD, essentially all defense contractors will be required to achieve a defined CMMC level(1) involving a certification to be conducted by an independent and qualified third-party assessor.

Not only will the DoD require defense contractors to comply with these new requirements, but also to flow-down these requirements across their supply chains, adding further subcontract oversight and risk burdens to higher-tier contractors.

CMMC overview and background

The DoD intends to use the CMMC to manage cybersecurity risk across the DIB – specifically with respect to protecting federal contract information (FCI) and controlled unclassified information (CUI) – through independent certification to verify defense contractors’ cybersecurity posture. Results of these certifications will become discriminators within the DoD’s solicitation and award processes.

In addition, the DoD aims for the CMMC to expand and improve upon existing guidance for adequate cybersecurity controls, aligning cybersecurity safeguarding requirements with contractors’ risk exposure when handling FCI and CUI in performance of DoD contracts.

The CMMC does not replace current regulations and standards, such as DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” and NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Rather, it