By Denise Shirey

Are you Conducting Business with the Department of Defense?

If your answer is “yes,” you’ll soon need to comply with the new standards based on the Cybersecurity Maturity Model Certification (CMMC).  Moi?  Yes, you.  Don't panic, there’s plenty of time to get certified, but you really need to get rolling now. Between June and September of this year, there will be about 10 prime Department of Defense (DOD) RFI’/RFP’s released which will include the CMMC criteria.  And, as we all know, “stuff” rolls downhill via subcontract flowdowns.  Thus, that CMMC “stuff” is estimated to impact at least 1,500 suppliers in the fall of 2020.

What is CMMC and Why Should I Be Concerned About It?

CMMC stands for “Cybersecurity Maturity Model Certification” and not chocolate M&M candy. Click on this CMMC site for the tasty details. The CMMC encompasses five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Proactive”. The required CMMC levels will be identified in the prime contractor’s DOD RFP sections L and M and will be used as a “go / no go decision.”

The CMMC framework will be used to certify compliance with various cyber security requirements from a variety of sources. The CMMC consists of five maturity levels ranging from Level 1, Basic Cyber Hygiene to Level 5, Advanced/Progressive, with a Level 3 roughly equating to all of the current requirements of NIST SP 800-171r1.

The DoD is very concerned about supply chain cybersecurity. NIST 800-171 didn’t offer a mechanism for third-party certification, so as we continue to see cybersecurity threats, the DoD needed to certify stronger supply chain cybersecurity practices. Controls assigned with the appropriate threat level will reduce risk of cyber threats.

According to the CMMC FAQ’s, the goal of CMMC is to "serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks”.

Will You Be Receiving Controlled But Unclassified Information (CUI) and/or Federal Contract Information (FCI)?

If you’re a prime DOD contractor/subcontractor and you deal with pretty neat technology which we’ll call “the other stuff,” including Controlled but Unclassified Information (CUI) and/or Federal Contract Information (FCI), expect to see the CMMC “stuff” in your RFI’s and RFP’s.  Eventually all companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI/FCI your company handles or processes.

What is CUI/FCI?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. FCI is information that is not intended for public release and is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. If you receive CUI or FCI you will need to be certified at the applicable maturity level.

Is Your Budget Ready?

The cost of certification is not yet known. Obviously, an assessment for a lower-level certification will be less expensive than an assessment for a higher-level certification. The DoD is considering ways to minimize costs to enable small businesses to come into compliance with certification requirements.

Can You Get Certified Now?

I know, I know.  That’s all you need in life, more “stuff.”   But don’t get snookered.  While your CMMC level can be assessed today, your company cannot be certified today as there are no trained and certified CMMC auditors. The timeline for certification is going to be tight; and here’s even more good news: if the CMMC “stuff” is laid on you, you cannot bid if you are not certified.  Self-certification is not an option. Only an independent 3rd party assessment organization may perform the assessment. CMMC waivers will not be granted.

What Can I Do Today?

Well, don’t just sit there. If you think you’re going to be impacted, get rolling with your assessment and fill in the gaps. Later this summer, you’ll be ready to contact a certified external CMMC third-party auditor for your certification visit.

For more information on this or other trade compliance topics, please contact Export Solutions for a free consultation.