DoD Announces New CMMC Program—and It’s Great News for Small Contractors

By: Richard Astle | August 6th, 2019 |

We’ve expected for some time that the Department of Defense was going to step up its efforts to move away from self-attestation and start enforcing cybersecurity compliance among defense contractors. Now—just like that—it’s a reality. In late May, Katie Arrington, special assistant for cybersecurity in the Office of the Under Secretary of Defense for Acquisition and Sustainment, announced the Cybersecurity Maturity Model Certification program, or CMMC, which will require cybersecurity audits and certifications for all DoD contractors.

The program is currently being developed by Johns Hopkins and Carnegie Mellon University and will combine several cybersecurity standards, including NIST 800-171, NIST 800-53, FIPS and others, into a single unified standard. It will go into effect next year.

The good news? There’s going to be a stick, yes, but there’s also a carrot—lots of carrots, in fact—that will make compliance for small contractors not only easier but actually affordable.

Here are the salient points:

• Compliance is no longer “one size fits all.” CMMC compliance will range from Levels 1 to 5, with Level 1 being full adherence to basic common sense cyber-hygiene standards and Level 5 being the ultimate in full compliance with all NIST and other security controls.
• Contracting requirements will be transparent. The required CMMC level (1-5) for each specific contract will be stated clearly in all RFPs and it will be a “go/no go” decision. If the contract calls for a CMMC Level 2 compliance and you’re only a Level 1, then you’re out. It’s that simple.
• Security will be an allowable expense. You’ll be able to roll the cost into your billable rate. Moreover, grant money will be available to smaller contractors to help them get initially certified.
• You’ve got to move forward—and soon. The official CMMC will be released in January 2020. The CMMC requirements will be used in RFIs starting in June and in RFPs following that. So companies will need to be audited and certified by spring at the latest.

One more thing: Small contractors have an empathetic, highly knowledgeable friend in Arrington, an entrepreneur who was once the vice president of operations for Dispersive Technologies, a small software developer for DoD, and she’s got a lot of plans in the works to make life easier for the 99.9 percent of defense contractors who aren’t massive and flush with cash.

“I’ve sat in your seat,” she says, noting that she wants to hear from contractors with questions or input. “I came into government to lessen the burden on you.”

So stay tuned: This blog will dig into the various aspects of the CMMC over the next several weeks and months to provide more details on what it all means for you, the small defense contractor.

About the Author: Richard Astle

Richard is the CEO of NeQter Labs – or possibly – better known as a recent winner of the Providence Business News’ 40 under 40. Richard has been with NeQter Labs from day 1, what began with a need based idea for a DoD subcontractor turned into what is now a leading hardware and software based cybersecurity company. Richard enjoys working with their growing team and is based in Pawtucket, RI.