If you are a contractor currently doing work with the government or considering it, you have likely heard about the Cybersecurity Maturity Model Certification (CMMC). The CMMC is made up of five levels designed to help bolster security and safeguard sensitive data housed in the supply chain for organizations doing business with the federal government.
Even though the certification for the CMMC will be a phased rollout, anyone working specifically with the Department of Defense (DoD) or subcontracting to a prime working with the DoD will need to achieve at least level one basic cyber hygiene, which is focused on the protection of Federal Contract Information (FCI). While the certification and audit process has yet to be finalized, you will want to start preparing for this change.
Timeline and Certification Levels
The CMMC model measures cybersecurity maturity with five, cumulative levels using benchmarks consisting of a set of processes and practices for each level. Based on the type and sensitivity of the information needing protection and the threats posed, the DoD has scaled these processes and practices ranging from Level 1 (basic cybersecurity hygiene) to Level 5 (most advanced). The levels can be characterized as follows:
- Level 1: Safeguard Federal Contract Information
- Level 2: Serve as a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information (CUI)
- Level 3: Protect CUI
- Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
The rollout is expected to begin this summer, as early as June, starting with approximately 10 select Requests for Information (RFIs) and the subsequent Requests for Proposals (RFPs). It is important to note that CMMC implementation only affects new DoD contracts. By Fiscal Year 2026, it is expected that all DoD contracts will include CMMC requirements.
So, what steps do you need to take?
- Review the CMMC Version 1.0 and assess your current cybersecurity infrastructure.
- Decide which level your organization would like to achieve.
- Identify your gaps and what it would take to meet the CMMC requirements.
- Outline a plan and make sure your key stakeholders support the efforts and potential investment to become compliant.
Don’t wait to get started. Initial implementation of the CMMC will only be within the DoD, however, it is expected that other agencies will also begin to adopt CMMC into their acquisition requirements. It is recommended that organizations begin assessing their current cybersecurity practices and processes now to identify any gaps and develop plans to meet the new requirements.
The CMMC is not a checklist. It is an active effort to ensure that the defense industrial base implements maturity processes and cybersecurity best practices. The result is protection from malicious cyberattacks and risks to economic and national security due to theft of intellectual property and sensitive information.
Have questions about CMMC? Contact our team. We’d love to chat and see how we can assist with your government sales and compliance.