Effective January 1, 2022 DGC merged with PKF O’Connor Davies (PKFOD), the 27th largest accounting and advisory firm in the U.S. Click here for more information.
The Department of Defense (DoD) released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework on January 31, 2020. The framework will apply to all companies doing business with the DoD later this year, either directly or as a subcontractor, and is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC is a departure from the existing NIST SP800-171 requirements in several ways. The most significant change is that companies subject to the CMMC will be required to obtain a certification by a CMMC 3rd Party Assessment Organization (C3PAO), which will be valid for three years. The next notable change is dimensionality. The CMMC will consist of five "levels" that companies will be asked to certify to.
The five CMMC levels correlate to the following objectives:
In addition, the CMMC consists of 17 domains, 43 capabilities, and 171 practices across the five levels. There are also five processes for each domain that pertain to an organization's process maturity that demonstrate how it has institutionalized a certain domain's requirements.
The last notable change is that all controls at your chosen level must be implemented in order to be certified. The DoD is not allowing any exceptions. Under the previous self-assessment regime, unimplemented requirements that a company intends to achieve may be acceptable. That is no longer possible under CMMC.
The DoD also indicated they view the full implementation of CMMC as a phased-in, five-year process. For 2020, the DoD stated that it would target 10 Requests for Information (RFIs) and 10 Requests for Proposal (RFPs), and that would affect 1500 organizations. They are prioritizing nuclear programs, missile defense, OTAs, SBIRs, and STTRs initially. All contracts in 2026 will have CMMC requirements.
The CMMC Accreditation Body is in the process of establishing the requirements for training and accrediting C3PAOs, which is expected to happen through the spring and summer. Certifications are unlikely to be available to contractors before September.
Next Steps – What Should You Do Now?
If you are anticipating being subject to the CMMC, that means you are probably already subject to DFARS 252.204-7012 / NIST 800-171 r1. You should consider a mapping and gap assessment exercise that compares your current state of compliance to a CMMC level that you can reasonably expect to be asked to certify for. There will likely be additional work required to meet the new standard. Given the relatively short timeframes involved, starting the work now will save you time and avoid trouble later on. DGC's IT Risk Assurance & Advisory Team can help. We take a proactive approach to every engagement. We assess each client's individual circumstances and create a thorough and efficient plan of action to ensure compliance. For more information, contact a member of your client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / firstname.lastname@example.org.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.