The Department of Defense has government contractors scrambling to become compliant with its new standard, the Cybersecurity Maturity Model Certification (CMMC). Self-attestation won’t cut it anymore, and you’ll need to pass a third-party audit if you want to bid on any new government projects.
The change has a lot of contractors rushing to understand the ins and outs of CMMC and to get certified. Contractors are asking a lot of questions and searching for the simplest way of getting their ducks in a row so they don’t miss out on the next contract opportunity.
Looking for answers? You’ve come to the right place. This article will give you the basics of CMMC and help you figure out how to make certification as simple as possible.
Why the Change to CMMC?
In the past, government contractors were required to self-attest to their cybersecurity readiness. The report was often requested after the contract was awarded. Put those two facts together, and you can probably imagine what happened.
Several contractors were discovered, after the fact, to have misrepresented the state of their cybersecurity. Severe penalties were issued, but the damage was already done. So the DoD collaborated with a few standards organizations and developed a new certification standard that would be more robust and prescriptive.
And, of course, contractors will now need to be certified by a third party Assessor before a contract is awarded.
What Are the Basics of CMMC?
CMMC is based on several security standards, but has a lot of similarities with NIST 800-171 and DFAR 52.204-21. A third-party Assessor will evaluate your readiness, based on the technical controls you’ve implemented, your documentation, and your policies. The assessment will certify you at a certain level of 1 to 5. The higher your level, the more sophisticated and comprehensive your security readiness, and the more contracts you’ll be eligible for.
The five levels are tiered, and each level builds on the one below it. Most companies will aim to achieve a certification between level 1 and 3. Level 5 uses the most advanced and progressive practices available.
Knowing the types of information you receive, store, generate, process or transmit is critical, so make sure you have that mapped out. Also, coordinate with your DoD point of contact to get help forecasting what level you’ll need to be compliant with.
Who Needs CMMC Certification?
Any contractor that bids on a DoD contract that contains controlled unclassified information (CUI) or federal contract information (FCI) will need to be CMMC certified. The level of certification will be noted in the RFP.
Commercial off-the-shelf products are exempt from CMMC compliance.
Do Our Subcontractors and Vendors Need CMMC Certification?
Expect your subcontractors to need CMMC compliance, although they may not need the same level of certification as a contractor. Details are still being released, so stay tuned.
When Does CMMC Roll Out?
Rollout has already begun. You don’t need to be certified under existing contracts, but new and renewed contracts will only be awarded to CMMC-compliant companies. By November 1, 2025, every contractor that has access to CUI or FCI must be certified under CMMC.
How Painful Is CMMC Certification Going to Be?
For most contractors, CMMC will be daunting — especially the first time around. It’s an enormous program, and it will be overwhelming for a small team to manage. Your greatest key to success will be to lean on a compliance consultant that knows and understands the requirements of CMMC.
You’ll also need a holistic, end-to-end compliance management tool that automates and streamlines your entire CMMC engagement. Having the right tool for a monstrous security standard can reduce man-hours by 50 percent and eliminate the vast majority of your sleepless nights.
TCT Portal is designed for government contractors who need to get on top of CMMC. Real-time insights, common-sense organization, and automated functions make it easier to manage the monstrous compliance standard, even if it’s your first time through it. Even better: TCT Portal can manage every other compliance standard you need to meet.
You can leverage the TCT Portal standalone software, or you can seek assistance from TCT to navigate the waters. We regularly provide pragmatic advice on everything from approach to vendor selection and even recommend assessors that are great to deal with.
CMMC is unfamiliar and overwhelming, but you don’t have to figure it out on your own. TCT is staffed with consultants who have lived in the compliance trenches for decades. We’ve seen it all, and we can anticipate the landmines before you get to them.