The Office of the Under Secretary of Defense for Acquisition and Sustainment has recently issued a statement that security is foundational to acquisition and its importance should be considered with the same weight as cost, schedule, and performance moving forward.
The Cybersecurity Maturity Model Certification (CMMC) was created to ensure the defense industrial base of government contractors is adequately protected by the adoption of strong cybersecurity practices. Currently, cybersecurity compliance within the defense industrial base is dubious at best.
For contractors not currently in compliance with NIST 800-171, a Plan of Action and Milestones (POAM) can be used to detail a plan to achieve compliance. Under NIST 800-171, POAMs could be used to indefinitely delay compliance. This is no longer the case with CMMC. Under CMMC, POAMs are strictly time-limited to 180 days. In addition, many contractors working with CUI will be required to go through a formal assessment by a C3PAO.
CMMC certification levels range from “Foundational” (Level 1) to “Expert” (Level 3). At a minimum, any company handling Controlled Unclassified Information (CUI) will be required to meet the requirements of Level 2. To achieve Level 2, a government contractor must fulfill all 110 of the practices and/or controls specified in the NIST 800-171 standard.
In the near future, contracts will start to specify the required CMMC level. For contracts that require CMMC Level 2 or 3, you may be disqualified from participating if your organization is not certified through a formal assessment.
Rimstorm can help you prepare for your CMMC audit in a number of ways. We can provide a free NIST / CMMC enclave suitability review which will help determine whether or not you are a good fit for an enclave solution. If desired, we can then provide a presentation and/or demo of our GovCon Enclave.