What Defense Contractors Can Expect From the CMMC

The Department of Defense has recently taken steps to make cybersecurity a top priority. One of the ways this has taken form is in a recently issued rule to implement heightened cybersecurity measurements for defense contractors, effective as of November 20, 2020. A cornerstone of this cybersecurity initiative, and contractor compliance, is the implementation of the CMMC framework.

CMMC stands for “Cybersecurity Maturity Model Certification,” a unifying standard for implementing cybersecurity measures across the Defense Industrial Base. The CMMC was created by the Department of Defense for the purpose of bolstering current cybersecurity measures. Additionally, the CMMC serves as a verification mechanism to hold defense contractors to the highest standard of cybersecurity best practices.

The CMMC is comprised of five certification levels that reflect the reliability of a company’s cybersecurity infrastructure. The five levels are tiered, and each level requires compliance with the lower-level requirements and processes. The five certification levels of the CMMC are as follows:

1. Basic cybersecurity practices such as antivirus software and employee password policies.

2. "Intermediate cyber hygiene” practices to protect any Controlled Unclassified Information through the implementation of the NIST’s security requirements.

3. A company must have institutionalized management to implement good cyber hygiene practices to meet the aforementioned requirements.

4. A company must have implemented processes for review and measuring the effectiveness of their cybersecurity practices. They must also establish enhanced practices to detect and respond to changing cybersecurity tactics and techniques of advanced persistent threats.

5. A company must have standardized and optimized processes in place, across the organization, and additional practices to provide a more sophisticated approach to detecting and responding to advanced persistent threats.

The expectation of the Department of Defense is that, eventually, all contractors working on Department of Defense contracts will be required to have a CMMC certification. Prior to the CMMC requirement, government contractors were fully responsive for the implantation, monitoring, and certification of their technology systems. This responsibility included managing, storying and transmitting sensitive Department of Defense information. As cyber-related attacks become both more common and more sophisticated, the need for heightened cybersecurity measures and diligence has grown exponentially. 

Currently, individual government contractors remain responsible for implementing the proper cybersecurity measures. The role of these CMMC guidelines is to add another form of assessment of the contractor’s compliance with certain mandatory practices. The Department of Defense has indicated that the prime-level certification requirement will not necessarily be the same certification level that is required throughout the entire supply chain for the contract. Subcontractors may exist at a different certification level, depending on the role of the subcontractor in a given project.

To learn more about the CMMC and its impact on defense contractors, please reference the CMMC FAQ created by the Office of the Under Secretary of Defense, click here.

AssuredPartners Government Contractor Solutions team can help ease the administrative burden. Our niche experts have the necessary experience and knowledge to handle the administrative needs of government contractors. That leaves contractors open to take advantage of the tax-preferential treatment permitted by the governing laws. Employers who would like help streamlining compliance while minimizing the personal burden can contact our team of Government Contractor specialists or visit our website for more information.