Federal

The Growing Importance Of A CMMC For Government Contractors

June 1, 2021 • Jacob Nix

A CMMC, otherwise known as a Cybersecurity Maturity Model Certification, is a standard framework set forth by the Department of Defense (DoD) that encompasses cybersecurity measures across the Defense Industrial Base (DIB). Following a number of high profile data breaches from 2019 to 2020, the CMMC has garnered increased importance for suppliers and contractors working with the DoD.

As of the September 2020 interim rule, Cybersecurity Maturity Model Certification is now included as part of the overall Defense Federal Acquisition Regulation Supplement (DFARS). The goal? To provide assurance to the DoD and the United States as a whole that our DIB can protect sensitive Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and as CMMC evolves Covered Defense Information (CDI) and Controlled Technical Information (CTI).

What is required for a CMMC?

The September ruling established three new provisions that all bidding contractors must comply with:

  1. DFARS Provision 252.204-7019 Before an award, contractors must have a current assessment score in the Supplier Performance Risk System - no older than three years old. Included for entry is a name for the system security plan, a description of the plan’s architecture, the date and score of the self assessment, a CAGE code, and the date for implementation.

  2. DFARS Clause 252.204-7020 This clause defines basic, medium, and high assessments for contactors and the appropriate methodology for conducting each. For parties subject to a basic assessment, the aforementioned self-assessment and SPRS score will suffice, whereas medium and high assessments will be conducted by Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) personnel using NIST SP 800-171A.

  3. DFARS Clause 252.204-7021 This clause requires contractors to achieve a CMMC at the time of the award and must maintain that certificate for the duration of the contract. Simple as that.

Who needs a CMMC?

In short, if you’re going to work within the Defense Industrial Base, even if you’re not working directly with the Government, you’re going to need CMMC in the next few years.

Without taking action early, you could miss out on the Cybersecurity push. Program architecture takes time to ensure you’re left with a sustainable, efficient and effective outcome.

Have more questions about achieving a CMMC? Get in touch with a member of our team below.