.png?width=190&height=44&name=FM_CMYK-Horizontal-white%20text%20(2).png "FM_CMYK-Horizontal-white text (2)"){kind=small}
DoD Contractors and Subcontractors Must Protect Federal Contract Information and Controlled Unclassified Information, or …
The Cybersecurity Maturity Model Certification (CMMC) is a program to ensure that specific types of unclassified sensitive data that are in existence outside of government systems is adequately protected. This certification program replaces the NIST SP 800-171 self-attestation that defense contractors (and subcontractors) perform today and applies specifically to Controlled Unclassified Information (CUI).
Here are five facts about CMMC that we discuss with our clients:
- Uncertified Organizations Will Not Awarded DoD Contracts
Plans of Action or Mitigation (POAMs) are not allowed under the CMMC program. Uncertified organizations will not be awarded contracts with CMMC requirements unfulfilled; however organizations will be permitted to bid on contracts with CMMC requirements as long as they will receive their certification before beginning their work on the contract.
- Compliance Advisors are not the Same as Compliance Auditors
The CMMC program is designed to ensure that there are no conflicts of interest. Consultants that advise contractors on how to comply with the CMMC are not able to perform that contractor’s CMMC assessment. Likewise, the CMMC certification assessor will not be able to provide any advice on how to achieve or enhance your CMMC compliance.
- A CMMC Certification has a Three-Year Shelf Life
CMMC certifications will be valid for three years, so plan accordingly to recertify in that timeframe.
- Only 15 Contracts Will be Certified in 2021, but ……
Only 15 contracts this year (2021) will require CMMC certification. Each year more contracts will be added requiring the certification until 2026, when all new contracts will require the appropriate CMMC certification.
- The CMMC Compliance Dive May Not be as Deep as you Think
There are five different maturity levels for CMMC which include different processes and practices required within the CMMC framework. Most contractors will only be required to meet level 1 or Level 2 CMMC requirements.
• Level 1: Perform 17 Cybersecurity Practices
• Level 2: Perform and Document 72 Practices
• Level 3: Perform, Document, and Mange 130 Practices
• Level 4: Perform, Document, Manage, and review the effectiveness of 156 Practices
• Level 5: Perform, Document, Manage, Review, and Optimize 171 Practices
Freed Maxick’s Third Party Readiness Review for CMMC Compliance
Freed Maxick is a Registered Provider Organization with a team of Registered Practitioners that will work with you and your organization to review your overall compliance with CMMC. By conducting a thorough examination of your organization’s IT environment and practices, we can help you navigate CMMC, identify weak areas in your current processes, and advise you on the most effective and efficient ways to prepare to become CMMC complainant.
Even though the CMMC is rolling out slowly, it will most likely take some time and investment by your organization to ensure you are compliant. If you would like help with preparing for CMMC compliance our Risk Advisory Services team can assist you. For more information on our risk consulting programs and services, please contact Samuel.DeLucia@freedmaxick.com or call 585-314-2069.
