The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is still in the process of working with DoD stakeholders and industry to finalize the development of the Cybersecurity Maturity Model Certification (CMMC). A stated on the OUSD(A&S) website: “The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” On March 13, 2020, Under Secretary of Defense Ellen Lord issued a statement on misleading cybersecurity certification information. She stated, “some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.” This is not a factual statement as “[t]he requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized.”
As noted, there are no firms currently approved to issue CMMC, and anyone offering approval letters is not authorized to do so. This doesn’t mean you should be doing nothing as a contractor. The CMMC requirements for levels 1-5 have been published and are available. All government contractors should be diligently pursuing updates as necessary to meet these requirements so that when C3PAOs are approved, you are ready for audit. Below are links for additional information:
Redstone GCI assists contractors throughout the U.S. and internationally with understanding the Government’s expectations and requirements related to compliance with Government contracting terms and conditions.