Many reading this post are aware there are significant changes coming for Department of Defense (DoD) contractors (prime or subs) in 2020 and it is essential to be getting ready for these if you intend to continue with existing DoD contracts or obtain new ones. Currently, DoD allows a business to self-certify compliance to controls in place to protect information (digital or otherwise) in the fulfillment of a contract. This expectation has been in place since Dec 2017. As of 2020, based on all available information at this time, this self-certification ability will sunset and any business involved with a DoD contract (prime or sub) will have to have a 3rd party certification in order to continue participating within the contract. This will be a Go/No-Go certification, with no flexibility given for partial compliance. This DoD initiative is referred to as the CyberSecurity Maturity Model Certification (CMMC) and will be life-changing for many companies within the defense industrial base (DIB).
Some of the key points of CMMC as of this writing:
1. CMMC will require a third party, cybersecurity certification to validate the information security infrastructure of the company
2. CMMC will grade information security infrastructure on a scale of 1 to 5, 5 being the most stringent. Any private sector DoD contractor, prime or sub, must achieve at least a Level 1 to participate in a DoD contract.
3. CMMC standards to be defined and released no later than January 2020
4. CMMC will require a company, Tier 1 and subs, to have the CMMC certification to match the level required on the solicitation prior to being awarded the contract
If your business is involved in any way with DoD contracting (and probably soon to migrate to any Federal contract), you need to begin understanding the implications of the CMMC initiative and begin working towards compliance. It is expected that DoD requests for information (RFI) will begin including the CMMC levels (Levels 1 through 5) in June of 2020 and requests for proposals (RFP’s) for contracts will require CMMC certification by September 2020. To achieve even a level 1 certification (the minimum requirement for any DoD contract going forward) will require time and probably some capital outlay for technical assistance from an IT firm. Consider understanding the CMMC requirements a must for your company, becoming aware of what will be expected of you in 2020 and beyond as just a price of doing business going forward. If you do not start the process now to achieve compliance, there is a good chance you will not be able to implement the required controls in time to bid on 2021 contracts (September 2020).
Below is a pretty detailed article that provides a strong overview of CMMC for those that would like a more thorough explanation of the initiative. If you or someone you know involved with federal contracting have questions and/or would like additional information, please contact one of our UGA SBDC offices
throughout the state.
All the best,
Mark Lupo, MBCP, SMP