Authors: John Farley Scott Corzine
The US federal government continues to focus on cybersecurity issues and set the tone for heightened standards to defend against cyber threats. The Cybersecurity Maturity Model Certification (CMMC) program is one such standard that focuses on growing risks to defense suppliers, collectively the Defense Industrial Base (DIB) Sector. Due to malicious cyber activity, threats to intellectual property, economic espionage and data loss, the US Department of Defense (DoD) is implementing enhanced requirements to protect sensitive data associated with DoD contracts.
To whom does CMMC apply?
CMMC applies to all DoD prime and sub-contractors, and cuts across a large network of companies and into many product classifications and industry sectors. Product classifications range from obvious defense sector products like aerospace, weapons and communications systems to less obvious products sold to the Pentagon. Contractors include but aren't limited to providers of clothing, food and building materials, as well as to manufacturers, higher education/research institutions, systems integrators, and service and technology providers. It applies to up to approximately 300,000 global providers of $264 billion in goods and services procured by the Pentagon.
What does CMMC require?
The CMMC is more prescriptive and nuanced than other frameworks and standards. It measures how well contractors and subcontractors in the defense supply chain have implemented and operationalized their cybersecurity practices and processes against a three-level maturity standard: foundational, advanced and expert.
The specific level required for your organization depends on the type of information you're working with and the contractual wording in your contract with the DoD. For those requiring compliance to Levels 2 or 3, CMMC mandates that a Certified Third-Party Assessor Organization (C3PAO) designated by the DoD to independently certify that the institution meets NIST 800-171r2. As of this writing, Cyber AB lists 57 C3PAOs that can conduct certifications.
Penalties for non-compliance
When defense contracts begin requiring CMMC compliance, any contractors or subcontractors that fail to comply may lose their contract with the DoD. If any party falsely certifies CMCC compliance, they may become subject to prosecution under the False Claims Act.
When is it in effect?
After several years of proposals, CMMC will finally become law in 4Q24 and 1Q25We expect that CMMC requirements will begin showing up in defense contracts — and contract flow-downs from prime defense contractors to its subcontractors — beginning about April 2025 for new and renewal defense contracts. Both the DoD and Department of Justice have put the defense supply chain industry on notice that it will begin taking regulatory compliance and enforcement action thereafter.
Given the limited time frame to meet the CMMC's compliance obligation we recommend consulting with legal and subject matter experts to determine if your institution is impacted by virtue of either direct contracts with the DoD or via subcontracts in the DoD supply chain. Consider immediate steps to independently assess your compliance CMMC or lack thereof so you can take steps to remediate any potential issues. For more information, see the DoD's About CMMC page.
