CMMC: What we know and why it matters

By David Berteau,
President and Chief Executive Officer

By David Berteau

|

Publication of the CMMC standard culminates a year-long process notable for collaboration between DOD and industry. It is a good beginning but it is only a beginning.

On Friday, Jan. 31, the Defense Department released Version 1.0 of its standard for the Cybersecurity Maturity Model Certification program, known as CMMC.

Publishing the standard culminates a year-long process. It is a good beginning, for two reasons.

First, it’s a recognition of broad agreement on the problem: cyber threats to national security are real, and they are growing. Data and intellectual property theft diminishes U.S competitive advantage and puts America at greater risk. More importantly, there is agreement that current responses to those threats are not working well enough. Much more needs to be done, by industry and by the government.

Project 38 Podcast

What's ahead with CMMC

WT editor Nick Wakeman and FCW defense beat writer Lauren Williams give their perspective on what CMMC means to the market.

Listen here.

 

Second, the standard and the processes by which it will be assessed and applied to contracts benefitted from substantial interaction between DoD and industry, including individual companies and the trade associations such as the Professional Services Council that engage on their behalf.

Over four months, the Pentagon released three different draft versions of the standards. Input from industry was incorporated in part by DoD in subsequent drafts of the standards. That pace and level of collaboration is noteworthy.

There are a host of next steps, including the promulgation of a new DoD acquisition regulation covering the application of CMMC certifications in contracts. DoD’s schedule calls for that regulation to be prospectively applicable and to be in place by September of this year.

What does CMMC mean for industry?

Let’s look at what we know. The DoD standard is now set. It goes beyond current acquisition regulations, which require compliance with standards from the National Institute of Standards and Technology.

We know that companies have yet to assess their systems and processes against the new CMMC standard. PSC is advising our member companies to begin their own internal assessment of how well they meet the CMMC Version 1.0 standard. Firms should start now; there is no need to wait.

We also know that the goal of CMMC is to make sure that, at the time of contract award, DoD prime and subcontractors are certified for cybersecurity at specified levels. Current plans state that DoD will require such certificates on selected contracts awarded in calendar year 2021. 

Over time, DoD cybersecurity requirements will apply to all contracts. CMMC coverage will include the range of data that falls under the broad category known as Controlled Unclassified Information, or CUI, for which there remains some ambiguity and inconsistencies today, both in definitions and in contracts. 

How will a company become CMMC certified?

CMMC certificates will be issued for all or part of a company at one of five different levels, on a pass-fail basis. Assessments will certify for the CMMC level against which they were assessed.

DoD owns the standards against which firms will be assessed, but it does not own the assessment or certification process. How will this process work? 

We know that a newly-formed, independent accreditation body has been established. We expect that it will sign a Memorandum of Understanding with DoD. Once that MOU is in place, the accreditation body can accredit assessing organizations, open the process for training assessors and certifiers, and take applications from companies to schedule certifying assessments. 

We anticipate that the assessing organizations themselves will need to be certified, to the level against which they will be assessing others. This could add to the start-up time for certifications to be issued.

DoD officials have stated they will provide the training guidelines for assessors and assessments, along with the initial data repository for all levels of certificates. Once regulations are in place and certificates required, contracting officers can at the time of contract award use the repository to verify CMMC certification levels for contractors and their subcontractors. 

How soon will this start?

We know that DoD plans 10 pilots, or “pathfinder” programs, over the next few months to test processes. This phased implementation plan is likely to produce some improvements that DoD can incorporate as the process expands.

In parallel with those pilots, DoD may begin including this spring or summer the anticipated requirements for CMMC certification levels in RFIs (requests for information from DoD programs to potential contract bidders). This should let companies have an idea of a timeline for when they need to be certified and at what level in time to respond to RFPs (requests for proposals).

What happens next?

There are many additional questions to which we do not yet know the answers, and others of which we have not yet even thought, including:

  • What is the capacity and capability for assessing companies and issuing certificates, including who goes first? How fast can that capacity expand?
  • How will companies know which assessors are accredited and eligible to assess and certify them? Advertisements are already popping up from firms that claim to be able to help get and keep certificates.
  • What training is needed for DoD program and contracting personnel? When will the training begin? How long will it take?
  • What is the timing and coverage of the new DoD acquisition regulation?
  • How will DoD incorporate CMMC requirements into RFIs, RFPs, and contracts?

For now, what we know is that CMMC is real, it is here, and both DoD and its contractors and subcontractors have a lot of work to do. PSC will continue to stay on top of this and work to help keep you informed.

NEXT STORY: Beware the dangers of groupthink

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.