The Cybersecurity Maturity Model Certification (CMMC) was created by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) to ensure that all Defense Industrial Base (DIB) contractors are following the proper protocols when protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Soon, all defense partners will be required to meet some level of compliance with the new CMMC process to be considered for DoD work.
There are many questions surrounding CMMC, the different levels of compliance, and when businesses will need to be certified. Gray Analytics Vice President and General Counsel Jay Town has answered a few most frequently asked questions below.
If your company sells off-the-shelf (OTS) commercial products, it’s unlikely that CMMC compliance will be required of your business. However, if you work in defense contracting or in the DIB, you will be required to be certified by a Certified Third Party Assessment Organization (C3PAO) to participate in any future defense work.
Oct. 1, 2025, is the effective date of CMMC. But keep in mind, there are already Requests for Information (RFIs) and Requests for Proposals (RFPs) in the DIB that require CMMC certification. In fiscal year 2022 there will be 75 RFIs that require CMMC certification. That number jumps to 250 in fiscal year 2023, and then up to 325 by fiscal year 2024. In total, 650 contracts will require CMMC certification before Oct. 1, 2025. The time to prepare is now.
The CMMC framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references. The model measures cybersecurity maturity with five levels, and it’s up to you to determine which level is appropriate for your business. Each level consists of a set of processes and practices that are detailed below.
The CMMC levels and the associated sets of processes and practices across domains are cumulative. More specifically, an organization must demonstrate achievement of the preceding lower levels to achieve a specific CMMC level.
For example, Level 1 is the lowest level and has the minimum requirements for CMMC certification. Level 3 is where we expect most companies to fall, and it requires at least 20 additional cyber maturity measures on top of those NIST 801-71 self-certification requirements that your business should currently have in place. Level 5 is the most advanced level of CMMC certification and will require the most robust and mature cyber environments. We expect this level of certification to be most relevant to large prime contractors.
CUI is any information that pertains to trade secrets; intellectual property; technical drawings; technical information; contract information; critical nuclear, energy, or propulsion infrastructure; or personal identifiable information for your company, subcontractors, or your partners. CMMC is designed to ensure the protection of all CUI from exfiltration by our enemies.
There are over 300,000 companies that serve the DIB or do business with the DoD, meaning there are more than 300,000 network systems that need to be protected from vulnerabilities. Our enemies are actively seeking to gain advantage by exfiltrating our nation’s classified information and CUI as it relates to our DoD and the DIB. Every piece of information is sensitive and can be combined with other intelligence to be used against our country. Each company has a responsibility to protect their own cyber environments in order to maintain our American ingenuity and deliver uncompromised products to our war fighters, the DoD, and to our civilians.
Gray Analytics can help. We are certified as a CMMC Registered Provider Organization (RPO) and can give your business pre-audit clarity on how to mature your cyber environment so you can reach the level of CMMC maturity that you desire as a business. As an RPO, we help prepare your business for your CMMC certification, fill any cyber gaps necessary to reach your desired maturity level, and then continually monitor your company’s cyber environment in order to ensure, to the extent possible, that you reach CMMC certification and continue to thrive in the defense contracting industry.
Learn more about our CMMC and Cybersecurity Compliance Support Services.
Watch more episodes of Town Hall with Gray Analytics.