The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.
Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC.
According to the AB, it will take an average-sized defense contractor seeking a Level 3 certification approximately eight to 12 weeks to receive it. The certification process has three phases.
Phase 1 – Contractor Preparation: The first phase of the CMMC process is the four- to six-week period when contractors update their safeguards so that they will pass the CMMC assessment. These preparations include upgrading existing controls and developing institutionalized practices needed to satisfy the requirements for a Level 3 certification. Contractors can do this work themselves or engage outside consultants. Contractors should also begin reaching out to C3PAOs during this phase to request proposals, define the scope of the assessment, and select a C3PAO. Although the AB estimates this phase will take between four to six weeks, the actual time will depend on the contractor’s existing safeguards. If a contractor has an underdeveloped cybersecurity program or is not in compliance with existing requirements under DFARS 252.204-7012, this phase could take months rather than weeks.
Phase 2 – Examination: The second phase is when the C3PAO assesses the contractor’s cybersecurity program. The AB estimates that the assessment could be as short as one day (for Level 1 certifications) and as long as several weeks, depending on the size and complexity of the organization being assessed. The AB expects that an assessment of a typical defense contractor seeking a Level 3 certification will take approximately one week.
Phase 3 – Quality Check: The C3PAO will then submit its assessment to the AB, who will verify that the assessment was conducted properly. The AB is expected to quality check most, if not all, of the assessments during the initial roll out period. However, as the number of contractors requesting certification increases, the AB will switch to a sampling approach to make sure that assessments are being conducted on a consistent basis.
What is clear from this three-phase process is that contractors only have control over phase 1, when they upgrade their existing systems and prepare for the assessment. This means that contractors should begin preparing now by either evaluating and updating their systems themselves or engaging consultants to help them prepare. This will allow contractors to quickly engage C3PAOs when a contracting opportunity requiring a CMMC arises.