Hundreds of thousands of companies need to be CMMC compliant. If you are not sure about your client or third-party compliance standards, you could be behind.

If you are a contractor or subcontractor working on projects or products for the Department of Defense (DoD) or the federal government, you will need to complete your Cybersecurity Maturity Model Certification (aka CMMC). Companies that do not participate in the CMMC program are subject to financial penalties when audited.

What is CMMC?

The US Department of Defense (DOD) has implemented security protection requirements for contractors and sub-contractors to protect sensitive unclassified information and data falling into the wrong hands.

The Defense Industrial Base (DIB) is the target of more frequent and increasingly complex cyberattacks. To protect American ingenuity and national security information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters.

CMMC is a mandatory program designed to enforce the protection of sensitive, unclassified information that is shared by the Department with its contractors and subcontractors.

Why do I need to participate in the CMMC program?

The DoD currently requires covered defense contractors and subcontractors to implement the security protections set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800–171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP).

The CMMC Program provides the Department the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and is maintaining that status across the contract period of performance, as required.

This will ensure defense contractors and subcontractors have implemented required security measures to expand application of existing security requirements.

This includes:

– Federal Contract Information (FCI)
– Adding new Controlled Unclassified Information (CUI) security requirements for certain priority programs.

The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.

The information for this blog was taken from the website of the Chief Information Officer of the US Department of Defense – dodcio.defense.cov/cmmc

For more information, please register for our live webinars detailing the CMMC program and to see if you need to participate in this program. What you need to know about CMMC and if it applies to you – https://bit.ly/3AXKcsX