The Department of Defense (DoD) has released its final cybersecurity standards. Cybersecurity Maturity Model Certification (CMMC) is the name of the new standard. As a result of the new CMMC certification, all DoD contractors require this certification. Next, we will go into detail on the different levels of certification. Remember, that all DoD contracts will require this certification.
The Cybersecurity Maturity Model Certification has five levels. The majority of contractors working with unclassified information must obtain CMMC level one. CMMC Level one is the lowest level. For instance, the more sensitive the data that a contractor handles, the higher the level of certification that they will need to receive under this certification. Every certification level will require an in-person check by independent assessors. In addition to contractors requiring certification, assessors require certification too. Why did the government change its cybersecurity model? That is what we will discuss next.
Why did DoD decide to implement the CMMC certification? Because the government realized that a checklist security and self-assessment model was failing. U.S. adversaries were exploiting defense contractors resulting in the leaking of our national security secrets. The DoD believes that the CMMC standards will stop U.S. adversaries from breaching defense contractors’ systems. As a result, contractors now need to pay a certified assessor to physically inspect their operations to ensure that they comply with one of the five levels of security. Besides defense contractors, the CMMC assessors must obtain training and are managed by a nonprofit board comprised of industry and academic partners.
Next, we will discuss the cost to obtain this certification.
How Much Will the CMMC Certification Cost?
Unfortunately, the cost of the assessment depends upon several factors to include the CMMC level, the complexity of the company’s network, and other market forces. Once certified, the certification will be valid for three years. While any certification is not cheap, it is a necessity. Fortunately, contractors are allowed to expense the certification cost to allowable, reimbursable cost; thus, it is not prohibitive. Please see FAR Clause 52.204-21 for more information. That is if you win a DoD contract. Now, if your company provides only Commercial-Off-The-Shelf (COTS) products, then you do not require a CMMC certification. These are the only businesses not required to obtain the certification.
Also, remember that this certification can apply to subcontractors. It is strongly recommended to notify your subcontractors regarding this requirement so that they have time to get into compliance.
Are Subcontractors Require To Obtain CMMC Certification?
Yes, subcontractors will need to obtain the certification. However, the level of certification will depend on the type and nature of the information that flows down from your prime contractor.
Where can I find out more information?
You can find out more information at https://www.cmmcab.org/. As these details for this certification still work out, you may want to signup for email notifications from the above site. Also, encourage your subcontractors to also sign up for email notifications.
You can expect CMMC requirements to begin to appear in RFIs and actual solicitations. If a contractor does not meet the contract’s requisite level of security under this framework then they will not be able to bid on the contract.
For more articles interesting articles , please click here.