If you are a federal defense contractor who works with Controlled Unclassified Information (CUI) you will soon be required to become fully compliant with the U.S. Department of Defense’s newly launched Cybersecurity Maturity Model Certification program (CMMC). If you have subcontractors who assist you in the delivery of your contract, they may also have to obtain CMMC certification.
To achieve this objective, you must demonstrate your compliance during a formal assessment conducted by an accredited CMMC Third-Party Assessor Organization (C3PAO). This assessment requires contractors to provide objective evidence to prove that they have the necessary cybersecurity protocols in place to protect CUI. If you are seeking a Level 3 CMMC certification, for example, there are 130 discrete standards for which you must demonstrate compliance.
The questions we must answer are:
- When must you go through this onerous process;
- How do you achieve this challenging objective; and
- What are the consequences for non-compliance.
Having this information in-hand, federal contractors can help ensure they get started with the certification process well in advance of their deadline.
Understanding the CMMC Phased Roll-Out
In June of 2020, the DOD began issuing Requests for Information (RFIs) that required responding contractors to be CMMC compliant. In September of 2020, they began issuing Requests for Proposal (RFPs) that contained this requirement.
Each subsequent year, the percentage of RFIs and RFPs requiring certification will increase. Although the federal government has not provided specific percentages or numbers of projects that will require CMMC certification, the majority of requests will have this requirement in 2025.
By January of 2026, the DOD estimates that every contractor in the Defense Industrial Base (DIB) – currently in excess of 300,000 firms – will require some level of CMMC certification.
What Is Your Deadline for CMMC Compliance?
Unfortunately, you may have no way to determine your deadline for compliance in advance. Currently, contractors are learning about the requirement when the DOD issues an RFI or RFP that requires a specific level of certification. If, for example, an RFP requires contractors to be CMMC Level 3 certified, you cannot submit a proposal until you obtain this certification.
The good news is that, with a few exceptions, CMMC compliance requirements are not significantly different than those in NIST 800-171. What is drastically different under the new program is how you demonstrate compliance.
Previously, contractors were able to self-report their cybersecurity standards compliance. Under the CMMA program, a highly trained and accredited assessor will evaluate the contractor’s cybersecurity standards, practices, and maturity. Moreover, during the C3PAO assessment, contractors must provide the assessor with specific “objective evidence” of their compliance with each requirement necessary for their desired certification level.
What Happens If You Are Not CMMC Compliant?
Under the prior, self-reporting protocols, submitting false information posed a significant level of risk under the False Claims Act, subjecting violators to potential fines and lawsuits. In fact, firms that were found to have intentionally misrepresented their cybersecurity standards were assessed fines as high as almost $5 million each.
Under CMMC, contractors still face the potentially harsh consequences of a False Claims Act violation. However, the structure of the new certification system will make it virtually impossible for contractors to obtain certification if they aren’t fully compliant with the CMMA program’s requirements and standards.
If you require CMMA certification, contact the cybersecurity experts at Rimstorm today. We have launched a comprehensive compliance engine, GovCon Enclave, that makes it quick, easy, and highly affordable to obtain your CMMA compliance certification. We can answer your questions about the new program requirements and help you determine what your deadline is for obtaining CMMA certification.