Preparing DoD Contractors for CMMC Certification

Ensuring the protection of sensitive information is an important practice that government and Department of Defense (DoD) contractors have been tasked with for years. Maintaining the security of both classified and unclassified information is paramount given the amount of data shared online. To manage the risk, DoD contractors are required to comply with NIST 800-171, which outlines the security control structure, designations and processes for maintaining a secure data environment. Given the evolving nature of cybercrimes, it is a necessity to constantly monitor, review and upgrade standards to maintain an optimal level of protection. To achieve this objective, the DoD recently issued the Cybersecurity Maturation Model Certification (CMMC) which all DoD contractors will need to address for new and renewing DoD contracts in 2020.

CMMC Levels

The model features various levels of security that must be met depending on the specific contract requirements and contract access to classified and unclassified information, including:

  • Level 1: Basic Cyber Hygiene
    This is the foundation for all other cybersecurity models. Information shared as part of the contract is not intended for public release but is not considered controlled unclassified information (CUI).
  • Level 2: Intermediate Cyber Hygiene
    Companies at this level should be able to establish and document standard cybersecurity operating procedures, policies, and strategic plans.
  • Level 3: Good Cyber Hygiene
    Compliance at this level means a company can protect and maintain a comprehensive cybersecurity program.
  • Level 4: Substantial Cyber Hygiene
    Contractors will be able to identify, adapt, and implement cybersecurity controls as threats change.
  • Level 5: Proactive Cyber Hygiene
    Proactive cybersecurity management includes optimized controls, documented practices, and regular communication with management.

CMMC Timeline

December 2019: Final public comment period

January 2020: Final CMMC regulations released

February/March 2020: Third-party assessors can apply for accreditation

June 2020: CMMC requirements part of RFIs

Late 2020: CMMC compliance required to bid on RFPs

As of January 31, 2020, final CMMC regulations were issued for all contractors that currently work with the DoD or plan to in the future. Third-party assessors can begin to apply for accreditation as early as February or March and will be ready to assess CMMC readiness in late spring or early summer 2020 when the first audits will likely start happening. Beginning in June 2020, the DoD is expected to include CMMC requirements in RFIs, and in late 2020 DoD contractors need to be certified to bid on RFPs.

CMMC Readiness Assessment

Given the amount of changes put forth in the CMMC, DoD contractors should seriously consider conducting a readiness assessment. This will allow for a review of existing policies, procedures and controls to ensure they are prepared to meet contract required certification levels. The assessment will identify gaps and highlight strengths, weaknesses and critical items which must be resolved. Since DoD contractors are not permitted to self-certify and must be receive an audit in order to maintain compliance, this is the best way to validate a contractor is ready to pass a CMMC audit.

CMMC Audits

Currently, the DoD has not outlined the process by which an auditor can become certified to conduct a CMMC audit. This means there is currently no way for a DoD contractor to receive an audit and receive certification.



Neena Shukla, CPA, CFE, CGMA, FCPA, CTP

Partner, Government Contracting Team Leader