My Profile   |   Contact Us   |   Sign In   |   Register
WIPP In Action
Blog Home All Blogs
Search all posts for:   


View all (82) posts »

DoD’s CMMC is Moving Full Steam Ahead With or Without You

Posted By Elizabeth Sullivan, WIPP Advocacy Team, Wednesday, March 4, 2020

Read a quick refresher on CMMC. The final model for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) came out earlier this year. So, what’s next for businesses? 

Elizabeth Sullivan


Let’s talk certification.

Now that version 1.0 of CMMC was released – the final version– DoD is moving full steam ahead. The “accreditation body” has been formed, which is an independent, non-profit group that is responsible for developing the training and assessment standards for the certification. The next step in the certification journey for DoD is forming a Memoranda of Understanding (MOU) with the accreditation body, which will outline the roles and responsibilities of each of the parties. Finally, “accreditors” – of which there are none currently – will be responsible for evaluating businesses and assigning them a CMMC certification level. If all of this third-party stuff leaves you scratching your head, just know that DoD is outsourcing the accreditation of over 300,000 contractors with plans for substantial oversight.

Substantial questions remain for contractors. One of the biggest is the timing of the certification rollout. The Department has said that they will issue 10 “pathfinder” solicitations that require various CMMC levels, including a few that will require level 4 or 5 certifications. Since these will be substantial contracts, if you are a small business tapped to subcontract on one of these – when will you get certified? Will there be some type of cue, where the biggest companies go first? Or will it be ranked by the amount of anticipated work? This remains to be determined.


Let’s talk levels.

While the CMMC levels have been refined throughout the DoD’s drafting process, it is important to know that there are five levels. Any contractor, regardless of the type of work they do that wants to do business with DoD will need at least a level one. Level one is the most basic cyber hygiene, which has some noteworthy differences from NIST 800-171. The Defense Department has said that most small businesses only need a level one. But I wouldn’t take that assessment at face value. It is important for small/midsize companies to determine the appropriate level they want to prepare for based on the work they do, or plan to do, for the DoD. For example, if your company handles any Controlled Unclassified Information (CUI) you will need at least a level three. By the way, these levels will also apply to subcontractors. Which brings me into the next section of this article – unknowns. 


Let's talk unknowns.

I was recently on a panel at the Women Leaders in Defense & Aerospace Law & Compliance Conference, where I shared the stage with the other two sides of the CMMC equation – a lawyer and prime. One of the things that I learned is that concerns span all business sizes—small businesses aren’t the only ones with questions. First and foremost is how the DoD will handle CMMC certification levels for subcontracted work. There has been a lot of conflicting information about this component flying around, but the latest and greatest (as of the time this is published) is that the program managers for both the DoD and prime contractor will work together to determine the appropriate CMMC levels for the components of subcontracted work.

Another unknown is how a company can dispute an assigned level by an accreditor. While the accreditation body will have some sort of mechanism to address this, DoD’s involvement in this process is unclear. This is an important question because certification levels will be assigned for a three-year period. Finally – and this is a big one – the total cost for contractors remains to be seen. DoD has not yet provided any specific information on the cost of obtaining the certification. Some good news is that something that is known (and has been for a while) is that DoD will not seek levels retroactively – meaning that no current contracts will be modified to require a certain certification level. All of this is to say, stay tuned.


WIPP recently offered a member webinar, "The Ugly Truth about CMMC," hosted by WIPP Board Chair and cybersecurity expert Angela Dingle. We intend to continue to provide the most updated education on this certification roll-out.

Moral of the story is – as a federal contractor, it is time to pay attention if you aren’t already. Although CMMC is only for the DoD supply chain, in the future it could impact civilian agencies as well. So, get ready – it’s moving full steam ahead with or without you. 


Tags:  cybersecurity 

Share |
Permalink | Comments (0)
more Calendar

9/29/2020 » 10/1/2020
WIPP Virtual Symposium on Cyber Resiliency

WIPP Advocacy Update - October 2020

WIPP Intersectionality Series

WIPP Community Connections - October 2020

WIPP Advocacy Update - November 2020

Featured Members
Jeanette Prenger (Hernandez)President & CEO, ECCO Select, North Kansas City, MO — September 2020 Member Spotlight
Tina PattersonPrincipal, Jade Solutions, Germantown, MD — August 2020 Member Spotlight

Privacy Policy / Disclaimer    |    © WIPP  |    888-488-WIPP

Association Management Software Powered by YourMembership  ::  Legal