RGCI-Ready for Cybersecurity Maturity Model Certification

Per DFARS 252.204-7012, Contractors were to implement NIST SP 800-171 by 12/31/2017 “Safeguarding Cover Defense Information and Incident Reporting”. However, Contractors self-certification has not gone as well as the Department of Defense (DoD) had hoped.  They have even included it as part of 2019 Contractor Purchasing System Reviews (CPSR) for the Defense Contract Management Agency (DCMA) to evaluate Contractors monitoring of subcontractor’s self-certification.  In the meantime, DoD has shifted gears and is developing the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the DoD supply chain's cybersecurity at all levels of the supply chain, from the prime Contractor on down to the lowest subcontractor. 

Where DoD Focus Lies

The DoD is not taking aim at just the 20,000 prime contractors, but the approximately 300,000 vendors that make up its entire supply chain.  The CMMC is being fast tracked to implementation – from the finalization of the CMMC testing requirements in January 2020 to the requirement of Contractors to be certified by a 3rd party between June and September 2020.  The Government is planning to require specified certification level requirements in Request for Proposals (RFP) issued in the fall 2020 or early 2021.

What is the CMMC?

  • DoD is working with Johns Hopkins University Applied Sciences Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards—including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933—into a single unified standard for cybersecurity.
  • Does not replace DFARS 252.204-7012 and NIST 800-171 – it adds more requirements.
  • Self-assessments will NO LONGER be allowed.
  • All DoD Contractors will be required to pass a 3rd party assessment/audit to officially obtain their CMMC Level.
  • The CMMC maturity levels currently proposed are 1 - 5, with Level 1 being the easiest and lowest level to obtain.
  • The CMMC schedule roll-out is aggressive and is moving quickly to complete the CMMC by January 2020, and contractors may start seeing the certification REQUIREMENT in contract RFIs by June 2020.
  • Authorizes a non-profit organization to oversee the program and accredit private-sector (3rd party) auditors (planning to train approximately 250 certifiers per month in the initial roll-out).
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • Makes cybersecurity an “allowable cost” in DoD contracts.
  • The required CMMC level (1-5) for a specific contract will be contained in the RFP sections L&M and be a “go/no-go decision”. (*Note: If Contractors do not have the required level they cannot submit a proposal – Government will not wait for Contractors to obtain the required level and Tier 1 subcontractors may be required to have the same level.)

Below is the current projected model for Level certification.  Be aware, this model is still being revised and is subject to change upon final requirements of the CMMC. 

CMMC Phase 1 Model v0.2

DISTRIBUTION A. Approved for public release

Stay Tuned

CMMC will likely change the landscape of companies eligible to bid and perform on DoD contracts.  Although this is still in the development phase, certifying companies will have to be trained, reviewed/audited, and granted authority to be able to perform CMMC assessments/audits.  Contractors need to start preparing (if you aren’t already) and ensure your critical suppliers are also doing the same. 

In addition, keep up with the CMMC process at the DoD CMMC website.   The Government has not indicated they plan to “slow roll” or delay this; instead, they are pushing ahead and are expecting Contractors to “get on board” immediately.  Redstone GCI consultants have the experience to assist contractors with preparation for CMMC certification. With a variety of training and consulting options available, reach out to us for resources to prepare your team for CMMC certification!

Whitepaper: Audit World's Biggest Myths Download Now

Written by Redstone Team

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: DFARS Business Systems, Contractor Purchasing System Review (CPSR), Cybersecurity