CMMC Compliance Deadline Is Approaching for Government Contractors: Are You on the Right Track?

The Cybersecurity Maturity Model Certification (CMMC 2.0) program is a requirement put in place by the Department of Defense (DoD) to ensure that all contractors doing business with the DoD meet certain security protocols.  Here’s what you need to know.

Why CMMC?

The request for enhanced security protocols shouldn’t come as a surprise to any DoD contractor.

The Defense Federal Acquisition Regulation Supplement (DFARS) compliance requirement for contractors, which went into effect on December 31, 2017, had built-in security improvements contractors were supposed to adhere to.

Unfortunately, the DoD determined that far too many contractors were not following the requirement.

CMMC was developed to further strengthen the security compliance requirement and to allow for proof of compliance that is tied to being qualified to bid on contracts.

What Kind of Data Is Subject to the CMMC Requirements?

Depending on the type of work a contractor performs for the DoD, they may have access and maintain Controlled Unclassified Information (CUI), Federal Contract Information (FCI) or other crucial pieces of sensitive data that must be securely transmitted, stored and handled.

What Is the Deadline for Becoming CMMC Compliant?

In September of 2024, the Office of Information and Regulatory Affairs (OIRA) released the CMMC Final Rule (known as 32 CFR), which defines the CMMC program and allows CMMC certification assessments to begin.

The CMMC Final Rule is on track to become law by the end of 2024 and can become part of DoD contracts in early 2025. CMMC compliance is being introduced gradually as a contractual clause over the course of three years. This “phased rollout” will take place from 2025 to 2028.

However, defense contractors and subcontractors should begin accomplishing the CMMC requirements immediately. Pursuing compliance early can help ensure your business can continue to participate in government projects, and it provides a structured approach to implementing robust cybersecurity measures, reducing the likelihood of breaches, avoiding penalties, protecting sensitive data, demonstrating a commitment to security, and mitigating risks.

What Does CMMC Compliance Look Like?

The CMMC framework consists of cybersecurity best practices from multiple cybersecurity standards, frameworks and other references. The model measures cybersecurity maturity with three levels. Each level consists of a set of practices that are detailed below. The requirements are cumulative, so any certification level also includes the requirements for the previous tier(s).

Level 1: Foundational

Level 1 of CMMC 2.0 requires annual self-assessments by government contractors.

Level 2: Advanced

Level 2 of CMMC 2.0 is broken into two categories based on prioritization.

1. Higher Priority Level 2 contracts will require certification by third-party assessment organizations.
2. Lower Priority Level 2 contracts may only require government contractor self-assessments.

Level 3: Expert

Level 3 of CMMC 2.0 requires completion of the Level 2 C3PAO Assessment and the DIBCAC NIST SP 800-172 Assessment.

How Should My Organization Pursue CMMC Compliance?

Download the Infographic: Top 10 Things Government Contractors Should Know About CMMC.

The first step in determining if your business is on the right track is to know which level of compliance you should achieve for the contracts you wish to bid on. Some primary contractors should be able to provide this information to their sub-contractors, and others are on their own in making the determination. Once you’ve determined where you are, you can see what you need to do to become compliant.

There tends to be a misconception that becoming CMMC compliant is all about the security of your technical infrastructure—but there’s much more to it than that. Much of CMMC compliance is about your policies, procedures, testing, etc. Missing any piece can cause a business to fail a compliance assessment.

It’s also important to determine whether you’ll handle your compliance efforts in-house or if you’ll look to an outside vendor for assistance. If you choose to keep your efforts in-house, select your internal compliance team and resources carefully so you’re sure the effort is both effective and efficient. Remember, not all technical resources can secure all areas of your infrastructure, and not all IT professionals are well-versed in the compliance rules.

Regardless of your approach, your goal throughout the process should be to become compliant in the most efficient and sustainable way possible so that your company can continue doing work with the DoD.

What Is a C3PAO?

Certified Third-Party Assessor Organizations (C3PAOs) are independent organizations that will use the CMMC Assessment Process (CAP) framework to assess and confirm compliance with CMMC for defense contractors and subcontractors.

There are a limited number of approved C3PAOs, and many defense contractors have already lined up with a C3PAO for their assessment. If you haven’t already secured a C3PAO, it’s best to do so quickly.

Where Should I Go for Help With CMMC Compliance?

CMMC is here to stay, and there is no time to waste. The quicker you start or verify your journey, the better the benefit to your company.

Warren Averett Technology Group can assist your company on your journey to CMMC compliance through:

• Identifying Controlled Unclassified Information (CUI)
• Determining the level of CMMC compliance that is required for your company
• Providing CMMC identification and readiness assessments that show where you are in the journey and what is missing
• Providing actionable, tailored recommendations to make sure that all necessary CMMC items are covered
• Offering implementation support
• Integrating the required controls to reach CMMC compliance

For help in navigating this landscape, please contact us today.

This article was originally published on March 17, 2021 and most recently updated on October 7, 2024.