Working with the Department of Defense on Contracts?

What you need to know about the changing CMMC environment.

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB).  It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework was created in 2019 and has three key features:

• Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
• Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
• Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

 In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of an internal review which includes: 

• Reducing costs, particularly for small businesses
• Increasing trust in the CMMC assessment ecosystem
• Clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards.

So what does this mean for you moving forward?

HOW MUCH WILL IT COST TO IMPLEMENT CMMC 2.0?

Costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to (a) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (b) allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments, and (c) increase oversight of the third-party assessment ecosystem.

WHEN WILL CMMC 2.0 BE REQUIRED FOR DOD CONTRACTS?

CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

The Department of Defense encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway.

The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.Need to get started on your CMMC 2.0 compliance?

Idea Solutions will perform a thorough CMMC assessment to see where your company is in relation to where it needs to go to pass an official CMMC audit.

We will perform a gap analysis of your company’s network and security tools, processes, and procedures to identify and evaluate the areas that need improvement and provide you a remediation plan and services to help prepare your organization for a CMMC audit.