Certification Matters

Are you ready?

What is the Cybersecurity Maturity
Model Certification (CMMC)?

CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems.

The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.


Comprehensive Analysis

know where you stand

Is a CMMC Gap Analysis
important for your company?

A CMMC gap analysis is critical for businesses with cybersecurity programs that are likely to include most of the required CMMC aspects, such as a risk assessment and a system security plan. If your security program is not yet at that level, you will probably gain more from an implementation planning type of approach that will help you establish the scope of your CUI environment as a first step


Competitive Advantage

be prepared

How Will CMMC Impact
My Business?

The first obvious impact will be on recompetes. Every contractor’s existing work will be up for grabs depending upon which CMMC level is required by the contracting authority. It will be advantageous to begin asking about the intended CMMC requirement during the RFI and question submittal periods of the acquisition lifecycle.

This will fall in line with other elements of the capture strategy (i.e. which NAICS code or small business set-aside will the agency use in the acquisition strategy). Furthermore, there are advantages of winning new business if your company receives a higher CMMC level than your competition.

A great positive to the new certification will be the elimination of ambiguity. The industry has struggled largely to grasp compliance and understand how the DoD would enforce compliance.

Compounding this issue, Aerojet Rocketdyne (AR) was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and AR was not able to adequately defend themselves on the basis of their own self assessment. Now companies will be able to lean on the third party assessment of CMMC and eliminate the risk of potential FCA actions.

One last thing – IT Security costs are going to be an allowable charge on contracts moving forward, and will be an element of your best value proposals. Thus, new rates and bidding strategies will come into play within your pricing volumes.


Federal Requirements

what is your risk?

Who must comply with
the CMMC?

All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ CMMC levels.