Are you ready?
What is the Cybersecurity Maturity
Model Certification (CMMC)?
CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems.
The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. It was drafted with significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry.
know where you stand
Is a CMMC Gap Analysis
important for your company?
A CMMC gap analysis is critical for businesses with cybersecurity programs that are likely to include most of the required CMMC aspects, such as a risk assessment and a system security plan. If your security program is not yet at that level, you will probably gain more from an implementation planning type of approach that will help you establish the scope of your CUI environment as a first step
How Will CMMC Impact
The first obvious impact will be on recompetes. Every contractor’s existing work will be up for grabs depending upon which CMMC level is required by the contracting authority. It will be advantageous to begin asking about the intended CMMC requirement during the RFI and question submittal periods of the acquisition lifecycle.
This will fall in line with other elements of the capture strategy (i.e. which NAICS code or small business set-aside will the agency use in the acquisition strategy). Furthermore, there are advantages of winning new business if your company receives a higher CMMC level than your competition.
A great positive to the new certification will be the elimination of ambiguity. The industry has struggled largely to grasp compliance and understand how the DoD would enforce compliance.
Compounding this issue, Aerojet Rocketdyne (AR) was recently issued a Civil False Claims Act (FCA) action for misleading the US Government of their compliance with DFARS 7012 and NIST 800-171. A previous employee and cybersecurity watchdog submitted the claim against them, and AR was not able to adequately defend themselves on the basis of their own self assessment. Now companies will be able to lean on the third party assessment of CMMC and eliminate the risk of potential FCA actions.
One last thing – IT Security costs are going to be an allowable charge on contracts moving forward, and will be an element of your best value proposals. Thus, new rates and bidding strategies will come into play within your pricing volumes.
what is your risk?
Who must comply with
All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ CMMC levels.
Thank you again so much for coming here and spending time with us. We learned more in those few hours than in the past few years!…Read More
We are an executive search firm, and we use CRM! to manage all of our records—for both our clients and our candidates.…Read More
There are not enough superlatives to describe Ki Consultants. In the two years I have worked with them, I have watched them help many of our associates in the Boca Raton Chamber of Commerce.…Read More
Ki Consultants is about reliability and performance. They set up our infrastructure with CRM! database connectivity for our sales force.…Read More
Ki Consultants has been such a pleasure to work with. They have a wonderful energy, and I have enjoyed each interaction with them. Their positive ideas and creativity are both welcome and refreshing.…Read More