The CMMC model delineates five “maturity” levels, with level one being the lowest level of maturity and level five being the most secure. Once the CMMC takes effect, DoD will assign all solicitations a maturity level that your company must meet if it wishes to bid on the solicitation.
To make matters more challenging, contractors and subcontractors also will have to meet 17 “security domains” within each of the five maturity levels of the CMMC. Depending on the level of maturity your business wants to achieve, it could be required to comply with up to 171 cybersecurity requirements in order to meet CMMC certification guidelines. These maturity levels are also cumulative, meaning that if you want to certify at level three under the CMMC requirements, you would also have to comply with the requirements of levels one and two. The level of maturity that you may wish to obtain will be based on the amount of sensitive data and “CUI” (Controlled Unclassified Information or unclassified data still requiring safeguarding) that your company works with or plans to work with as a DoD contractor or subcontractor. Through the creation of the CMMC, DoD seems to be enhancing the requirements of NIST 800-171 and other cybersecurity-related frameworks.
One of the biggest changes with the CMMC requirements is that they prevent contractors and subcontractors from “self-assessing” cybersecurity readiness. Under the CMMC, contractors will need to have an official, independent third-party assessment company (C3PAO) conduct on-site inspection to ensure that it is in strict compliance with the CMMC. Failure to comply with the requirements of the maturity level you wish to achieve renders the contractor unable to bid on new DoD solicitations. There are currently over 300,000 DoD contractors and subcontractors in the United States and abroad that will need to come into CMMC compliance with these new guidelines. Although the CMMC guidelines do not appear to be retroactive at this time, DoD solicitations will begin referring to CMMC requirements as early as June 2020, and the requirements will become mandatory in September 2020. The time for preparation is now.
If you are one of the affected contractors, experienced legal counsel can be instrumental in preparing for the C3PAO process. We have prepared an assessment and compliance tool to assist businesses in achieving maturity levels one through five. This tool helps contractors to develop the necessary policies, procedures and gap analysis required to comply with the DoD CMMC requirements and to pass C3PAO accreditation inspection.