CMMC is here and it affects you

CMMC

Cybersecurity Maturity Model Certification

What is the Cybersecurity Maturity Model Certification? It is a series of requirement demanded by the Department of Defense of all those who provide services to them. Unlike previous standards such as NIST 800-171 or the CSF you cannot self-certify. When DFARS adds the CMMC requirements, (DFARS clause 252.204-7012), to all new contracts you will not be able to do work for the DOD or a DOD contractor. CMMC Third-Party Assessor Organizations (C3PAO)  is now training inspectors to enforce the rules. Furthermore, being on the cloud does not protect you, they want you to protect your blueprints and even the layout of your shop floor. They want you to protect your CUI documents, CNC data, and all machine tool programs. You need written policies and procedures to not only conform to the regulations for CUI, but also catch breaches and have a process to report them. The CMMC requirements are deep and wide.

A provision in the 2021 National Defense Authorization Act requires DOD's CIO and the commander of the Joint Forces Headquarters-Department of Defense Information Network to review each DOD component for cyber hygiene and assess compliance with CMMC.

The report identifies the "component's CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework," according to the legislation. H. R. 6395 SEC. 1742. DEPARTMENT OF DEFENSE CYBER HYGIENE AND CYBERSECURITY MATURITY MODEL CERTIFICATION FRAMEWORK

Those components that don't meet CMMC level 3 requirements, also referred to as "good cyber hygiene," will have to "implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022."

The report stemming from that review was due to Congress on March 1, but has been pushed to June, according to a Hill aide familiar with the matter.

The CMMC program, a unified standard that defense contractors handling controlled unclassified information will have to meet to bid on contracts, is expected to enter the pilot stage with select contracts later this year. Who is affected? Naturally major contractors but also and most importantly everyone and I mean everyone who is in the supply chain. If you drill holes for Lockheed, you must comply. 

Next Level Systems is dedicated to helping small and medium sized businesses to work toward compliance thus giving them an edge in competitive bidding situations. If you do any defense work you must comply this year. 

Brian O'Connor

[email protected]