CMMC certification guarantees? Be mindful.
Ads that say words to the effect of “work with me and CMMC is guaranteed” have largely disappeared. That’s a good thing. Especially since contractor’s only have control over the first of the following three phases.
- Contractor’s prepare their systems for examination by the C3PAO
- C3PAO vendor examines contractor’s systems
- The CMMC Accreditation Board will then verify that the C3PAO vendor performed the examination correctly
CMMC Preparations Should Begin Now
For people who are curious about where their company may measure up against the standards, lots of companies are offering these types of assessments. The DOD Office of Small Business Programs has stood up Project Spectrum as a resource to help small businesses determine the gap between their existing cybersecurity processes and the requirements of CMMC. This is a good first step. And it is free.
Many other providers offer a similar readiness check solution. In addition to the readiness check they also also offer a DIY step by step guide outlining steps to follow prior to applying for certification. Many also offer done for you services to assist you in putting proper procedures in place. These types of solution provide valuable services that many small businesses need in their journey to obtain CMMC certification at the appropriate level.
DOD’s CMMC requirements are popping up in solicitations even before the certification process is stood up. And although the certification requirement and the oversight board tasked with managing the actual CMMC process that leads to contractor’s attaining the required level of certification(CMMCAB.org) are the brainchild of DOD, civilian agencies are following their lead.
This is particularly true with GSA’s BIC contract vehicles that are widely used by DOD to fulfill contract requirements. This is evident in the much anticipated 8(a) STARS III contract. That’s how important cybersecurity is to the government as a whole.
CMMC’s requirement to attain a specific level of certification are new. However, the underlying requirements are NOT new.
Back in 2016 the government established standards regarding protection of information that is not classified. These standards became applicable in government contract by the creating and application of various acquisition clauses. It would be a wild overstatement to say that every contractor realized that by signing contracts containing these clauses they were agreeing to implement a host of requirements based on NIST standards. I taught my first class on this four years ago this month at a PTAC meeting.
These important requirements exist even though the government currently has no mechanism to verify that contractors are in fact complying with these standards. That however does not mean that contractors are not guilty of a False Claims Act violation when they fail to comply with these requirements. See this Arnold an porter article on that case here.
CMMC compliance is basically the government’s way of ensuring that contractors comply with existing regulations. Updates to the DFARS are planned and are on the horizon. According to