Starting this year (2021), Cybersecurity Maturity Model Certification (CMMC) compliance is required for organizations supporting or feeding into the Defense Industrial Base (DIB). DIB organizations previously self-assessed their compliance with NIST 800-171, but DIB officials state that self-certification is not working. Cyberattacks are successful because organizations have not fully secured their networks. The new CMMC framework removes trust and requires an assessment or audit be performed by an independent third-party. CMMC Certification is issued upon successfully passing the audit.
Requests for Proposals (RFPs) will gradually mandate CMMC Certification as a prerequisite to enter the Department of Defense (DoD) bidding process. CMMC requirements will be implemented in all new DoD contracts starting in FY 2026. Based on the DoD contract’s information sensitivity, RFPs will point to a specific maturity level prior to contract award.
There are five maturity levels composed of practices and processes. Certification to Maturity Level 1 is required for safeguarding Federal Contract Information (FCI). Most DoD contracts require compliance to Level 1. Fewer contracts require certification to Maturity Level 3, a requirement for protecting Controlled Unclassified Information (CUI). Less than one percent of RFPs are projected to require Maturity Level 4 or 5 certification.
The CMMC-Accreditation Body (CMMC-AB) manages CMMC for the Department of Defense. As a Registered Provider Organization (RPO), Concord has been qualified and designated by CMMC-AB to help organizations prepare for CMMC Certification.
CMMC represents a new way of doing business with DoD. CMMC Certification is pass/fail and all requirements must be met. With compliance quickly approaching, Concord recommends DoD contractors start preparing for CMMC Certification. RPOs, such as Concord, are uniquely positioned to help.