DoD to use CMMC as a “go/no go” decision on RFPs
As of 2020, the Department of Defense (DoD) no longer will accept self-attestations or “good faith efforts” toward meeting DFARS cybersecurity requirements.
To reduce risk to the defense supply chain, DoD has decided that all primes and subcontractors must pass a third-party audit verifying Cybersecurity Maturity Model Certification (CMMC) compliance.
No organization with DoD business is exempt
Every organization that is paid as a result of a DoD contract must pass at least a Level 1 CMMC audit, regardless of whether they handle sensitive data(CUI) or the number of tiers down the supply chain.
However, not all organizations must pass the entire scope of cybersecurity requirements. To address the different levels of data sensitivity, CMMC will have five maturity levels, all based on the number of of NIST 800-171 controls a contractor adopts. The levels range from basic to advanced cyber hygiene. It is up to each contractor to determine which CMMC level they want to obtain. The higher the level, presumably the stronger a contractor’s competitive advantage.
The Time to Prepare is Now
To protect the defense infrastructure from continuous cyber threats, DoD has put an aggressive timeline in place for compliance. The first CMMC requirements will be released in January 2020 and appear in Requests for Information by June, with RFP requirements to follow. Organizations must be re-certified on an ongoing basis to be determined, as the nature of cyber threats evolves.
Summit Business Technologies is helping multiple contractors meet the NIST 800-171 cybersecurity standards on which each level of CMMC is based. Our cybersecurity compliance experts are highly experienced in cybersecurity controls, and the steps and milestones necessary to achieve compliance.
Do not risk failing an audit.
Organizations that do, cannot provide products and services to DoD until the cybersecurity gaps are remediated and another audit is scheduled and passed. The first step toward compliance is a Gap Analysis to identify existing controls and areas of vulnerability.