Defining CMMC: What Defense Contractors Need to Know

Defining CMMC: What Defense Contractors Need to Know

Defining CMMC: What Defense Contractors Need to Know
Defining CMMC: What Defense Contractors Need to Know

It’s been nearly a decade since the Defense Federal Acquisition Regulation Supplement, or DFARS, was signed into law. DFARS mandated that all Department of Defense contractors integrate and follow cybersecurity standards according to the NIST SP 800-171 framework. 

However, adoption of the protocols has been slow. This is why the DoD has now released the Cybersecurity Maturity Model Certification, or CMMC, that ensures cybersecurity standards are being addressed and adhered to throughout the defense supply chain.

Here’s a closer look at CMMC and what it means for defense contractors. 

Defining CMMC vs DFARS

First and foremost, any company doing business with the Department of Defense, either as a prime contractor or lower-tier subcontractor, will be required to achieve CMMC certification. There are five potential maturity levels of CMMC, beginning with protecting Federal Contract Information (Level 1), safeguarding Controlled Unclassified Information (Level 3), and reducing the risk of Advanced Persistent Threats (Level 5). 

Technically speaking, CMMC is being presented as a rule change that will be incorporated into DFARS. The key difference between CMMC and DFARS is that DFARS allows contractors to self-attest to NIST SP 800-171 standards after winning the contract, while CMMC requires contractors to be certified prior to being awarded the contract. 

When Will CMMC Take Effect?

The proposed rule change is expected to gain approval in Fall 2020, with the first RFIs and RFPs to include CMMC by the end of October 2020. However, the actual timeline for the complete rollout is expected to last through 2026. 

The good news is that any existing contracts will not retroactively be affected by CMMC. 

How and When to Approach CMMC

CMMC is expected to impact as many as 300,000 companies and contractors. It will likely appear in OTAs and other non-procurement contracts that are more common with small- and medium-sized companies. This may pose a problem, however: smaller companies make up the majority of defense industry companies, and they also tend to have fewer resources to invest in cybersecurity improvements. 

However, instead of viewing CMMC as yet another costly hurdle to clear, companies should view this certification as a way to differentiate themselves from competitors. Obtaining certification early (i.e. before it’s required) can take a forward-thinking approach to maturity, make their contract bids more attractive, and potentially avoid assessment bottlenecks. 

It’s also worth noting that foreign companies are interested in adopting CMMC requirements, which can present unique export opportunities to companies who achieve the certification.

We’ll be bringing you updates on CMMC as new information becomes available. Until then, head back to the etaGlobal blog for more A&D insights.