What should DoD contractors do to meet CMMC requirements?

With the release of the Cybersecurity Maturity Model Certification (CMMC), major changes are coming to the Department of Defense (DoD) supply chain this year for both contractors and subcontractors.

CMMC requires that all DoD contractors and subcontractors implement practices and controls to safeguard controlled

unclassified information (CUI) and federal contract information (FCI). CMMC will also require that DoD contractors and

subcontractors undergo an assessment by a CMMC Third-Party Assessment Organization (C3PAO).

CMMC will be required for all DoD contractors (prime and subs) and should be considered a “license to do business with DoD.” Potential implications of noncompliance could include the following:

  • Revenue loss

  • Reputational damages through adverse performance reviews

  • Supply chain disruption

  • Proposal exclusion

What can you be doing right now?

In preparation for CMMC, organizations across the defense industrial base are taking a serious look at their controls surrounding NIST 800-171 and beginning to understand the differences between NIST 800-171 and CMMC. Some specific areas of focus for DoD contractors include the following:

Define your CUI boundary – In order to understand what level of CMMC you might need, start by understanding your CUI boundary and the types of information that are passing through your environment.

Revisit your system security plan (SSP) – In previous versions of the DFARS clause, DoD contractors were required to develop and maintain an SSP. Now is good time to review and update your SSP, because this will be an integral part of your CMMC assessment.

Revisit your POA&M – If you’ve performed a self-assessment, you should have developed POA&M that outlines gaps and your plan to close those gaps. Before going into your CMMC assessment, you should strive to close out outstanding gaps, and a good first step will be to review and update your POA&M.

How CSCG can help?

CSCG takes a business-focused, broad approach that supports cost savings, productivity, and risk reduction goals. We encourage DoD contractors to take a proactive and sustainable approach to achieving the CMMC requirements on an ongoing basis.

Readiness Services – CSCG can assist DoD contractors with achieving CMMC compliance by assessing existing processes and controls against the CMMC framework to identify if deficiencies exist.

Certification Services – CSCG has partnered with a C3PAO and expects to be credentialed during the summer of 2020. Stay tuned for updates on this service