DoD Contractors – Subcontractors Mandated to be Cyber Security Certified by September 2020. Will Your Company be Ready?

By Vicki Delaney

By June, the department of defense plans to publish as many as 10 requests for information on contracts that include CMMC requirements, If your company is bidding on a DoD contract or renewing a contract chances are it will have to be certified to the Cyber Security Maturity Model (CMMC). CMMC is a vehicle the US Government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. DoD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DoD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB).

The Department of Defense created CMMC to mitigate a systemic issue of non-compliance to NIST 800-171 by both primes and their subs. When NIST 800-171 was initially launched, the DoD would not accept any form of 3rd-party audit for evidence of NIST 800-171 compliance. They eventually realized this was the only way compliance was going to be ensured. CMMC is a certification program which is executed by a non-biased third-party assessment organization.

Think of CMMC as a procurement gate that a contractor must pass to even be eligible to bid on, win or participate on a contract – without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from the contract.

Current estimates say 10,000 DoD suppliers will have to be certified by September 2020. The remaining 300,000+ organizations will be certified as new bids come up on the DIB.

How will you know if you will be impacted by this decision?

If Defense Federal Acquisition Regulation Supplement (DFARS) 204-7012 shows up on the bid request form you will have to have a CMMC certificate before you can bid on the job.
If you have a contract that renews after June 2020 you will have to be certified by September 2020.
If you handle Controlled Unclassified Information (CUI) you will have to be certified. Third-parties that have the ability to impact the confidentiality and/or integrity of (CUI) where it is stored, transmitted and/or processed will be included in the requirement. This will impact small organizations from IT support to bookkeepers and even janitorial support services, in addition to component manufacturers that fall in the supply chain.

Contact CPISYS for more information on the process to obtain CMMC Cyber Security Maturity Model Certification