What is the Cybersecurity Maturity Model Certification (CMMC)?
Since early 2020, the Department of Defense (DoD) has been developing a new program for third-party certification of the security of information systems in all DoD contractors and subcontractors. This new CMMC requirement will impact approximately 300,000 businesses in the US, many of whom are small contractors or subcontractors lacking even basic cyber hygiene.
The CMMC Proposed Final Rule was published December 26, 2023, and is expected to become final in the first half of 2025. At that time, the clauses for self-assessment and affirmation of both L1 and L2 will begin appearing in all contracts.
According to information released to its membership by the National Defense Industrial Association, most organizations should plan on spending 18-24 months to fully implement the requirements and be ready for an official assessment (which could take many more months). Smart organizations have been preparing for some time, while others have fallen behind. Contracts with the CMMC clause will only be awarded to organizations that already have their CMMC programs in place, and prime contractors are obligated to "flow down" the CMMC requirements to their subcontractors.
We are pleased to say that our President, Glenda R. Snodgrass, was among the first individuals to become a Certified CMMC Professional (CCP) in November 2022, and in May 2023, she became one of the first to pass the Certified CMMC Assessor exam.
While CMMC currently applies only to DoD contractors, the GSA has already included references to CMMC in a recent solicitation, DHS has publicly expressed interest, and it is widely believed that the CMMC will be expanded to all federal government contractors in the future. If you have any questions about the CMMC, please contact us! We are always happy to talk with organizations who have cyber security concerns.
If you haven't already signed up for our newsletter, CMMC Update, do that now!