DoD Announces New CMMC Program—and It’s Great News for Small Contractors.

We’ve expected for some time that the Department of Defense was going to step up
its efforts to move away from self-attestation and start enforcing cybersecurity
compliance among defense contractors. Now—just like that—it’s a reality.
In late May, Katie Arrington, special assistant for cybersecurity in the Office of the
Under Secretary of Defense for Acquisition and Sustainment, announced the
Cybersecurity Maturity Model Certification program, or CMMC, which will require
cybersecurity audits and certifications for all DoD contractors.

The program is currently being developed by Johns Hopkins and Carnegie Mellon
University and will combine several cybersecurity standards, including NIST 800-
171, NIST 800-53, FIPS and others, into a single unified standard. It will go into
effect next year.

The good news? There’s going to be a stick, yes, but there’s also a carrot—lots of
carrots, in fact—that will make compliance for small contractors not only easier but
actually affordable.

Here are the salient points:

• Compliance is no longer “one size fits all.” CMMC compliance will range from Levels 1 to 5, with Level 1 being full adherence to basic common sense cyber-hygiene standards and Level 5 being the ultimate in full compliance with all NIST and other security controls.
• Contracting requirements will be transparent. The required CMMC level (1-5) for each specific contract will be stated clearly in all RFPs and it will be a “go/no go” decision. If the contract calls for a CMMC Level 2 compliance and you’re only a Level 1, then you’re out. It’s that simple.

• Security will be an allowable expense. You’ll be able to roll the cost into your billable rate. Moreover, grant money will be available to smaller contractors to help them get initially certified.

• You’ve got to move forward—and soon. The official CMMC will be released in January 2020. The CMMC requirements will be used in RFIs starting in June and in RFPs following that. So companies will need to be audited and certified by spring at the latest.

One more thing: Small contractors have an empathetic, highly knowledgeable friend in Arlington, an entrepreneur who was once the vice president of operations for Dispersive Technologies, a small software developer for DoD, and she’s got a lot of plans in the works to make life easier for the 99.9 percent of defense contractors who aren’t massive and flush with cash.

“I’ve sat in your seat,” she says, noting that she wants to hear from contractors with questions or input. “I came into government to lessen the burden on you.”

So stay tuned: This blog will dig into the various aspects of the CMMC over the next several weeks and months to provide more details on what it all means for you, the small defense contractor.