Last spring, the DoD decided to pause and review the CMMC program. They made changes to simplify the initial requirements, and that effort launched CMMC 2.0. There are now only three levels of certification, down from five initially.
CMMC levels are a set of controls, cybersecurity practices, and standards that the DoD requires from its defense contractors. Beginning in the spring of 2023 and ramping up to full implementation in 2025, any organizations who have not implemented these processes and controls will not meet the requirements of RFPs and will not be awarded these contracts from the DoD. It’s expected that other Federal contracts and proposal requests will also require CMMC certification in the coming years.
Because of this, Firewater Advisors recommends any organization planning to bid on any DoD contracts begin or finalize their certification now.
According to David McKeown, DoD Senior Information Security Officer, it is not a good idea to wait to begin implementing the requirements. “I don’t think it’s prudent to wait. The 800-171 requirements have been around for a long time. Through the CMMC AB (accreditation body), we’re trying to allow early assessments even before this goes into effect as a contract clause, and we want to honor those early assessments.”
So the CMMC is we look at from the business side is a competitor-crushing, business-increasing opportunity.
Levels of Certification
For those organizations that handle Federal Contact Information (FCI). There are seventeen basic cybersecurity hygiene requirements to implement. The organization will complete a self-assessment that will be registered in the SPRS (supplier performance rating system) database. These self-assessments will be conducted annually.
For those organizations that handle Controlled Unclassified Information, there are one hundred and ten Practices to implement. These Practices are aligned with controls and standards set forth in the NIST SP 800-171 compliance checklist.
Almost all organizations seeking Level 2 certification will require an assessment from a certified auditor. The assessment, once passed, is expected to meet program audit requirements for three years. Note these organizations must also affirm annually in SPRS that their practices are still compliant with the requirements.
Analysis from the DoD has shown that there will be a small number of companies participating at Level 2 in a limited fashion that may be able to bid on select Level 2 projects requiring only a self-assessment. Note that it only takes one contract with a higher-level requirement to drive that need for an assessment. The DOD expectation is that the number of companies that only have to do a self-assessment is going to be very small. Because most companies participate in more than one contract, the recommendation from Firewater Advisors is for any companies seeking Level 2 certification to also request and complete a third-party audit.
The assessment for Level 3 compliance will to be to be performed by the DCMA’s (Defense Contract Management Agency) DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment arm. An organization in this level must first complete a third-party assessment and achieve CMMC level 2. Once that is complete, if an organization wishes to continue to level 3 compliance and be eligible for all DoD contracts, they would then call the DIBCAC to begin the process for a deeper assessment that includes additional cybersecurity controls.
Once an organization has determined which level of certification it seeks to attain, Firewater Advisors recommends beginning the path to CMMC compliance right away. The audit process can be cost-prohibitive and time-consuming. According to Wayne Shaw, CISO, CEO of Five 9s Consulting, it takes anywhere between 9-12 months for a motivated company to address all of the CMMC controls and complete the compliance journey.
“I don’t think it’s prudent to wait.”David McKeown, DoD Senior Information Security Officer
Because of this, Firewater Advisors recommends any organization wishing to be awarded DoD contracts to begin the journey to compliance right away. With roughly 33% of the current DoD contractors expected to drop out in light of the requirements, those who are early adopters will be the first in to capture that business.
A helpful list of acronyms related to the CMMC:
As with many government and technical programs, the number of acronyms and specific-terms can be daunting. The team at Firewater Advisors is working to demystify these requirements and simplify CMMC terms to organizations become certified—which help our clients find more compliant partners and helps the United States Department of Defense better protect its contract data.
AB = Accreditation Body
C3PAO = Certified Third Party Assessment Organization
CAGE = Commercial and Government Entity
CISA = Cybersecurity and Infrastructure Security Agency
CUI = Controlled Unclassified Information
CMMC = Cybersecurity Maturity Model Certification
DCMA = Defense Contract Management Agency
DoD = Department of Defense
EMASS = Enterprise Mission Assurance Support Service
FCI = Federal Contract Information
FedRAMP = Federal Risk and Authorization Management Program
ISO = International Organization for Standardization
MSP = Managed Service Provider
NIST = National Institute of standards and technology
OMB = Office of Management and Budget
POA&M = Plan of Action and Milestones
SPRS = supplier performance rating system