In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).
The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.
The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.
Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC. Continue reading “Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing”