CMMC Ground Truth

Hello DOD Contractors, Supply Chain members and everyone else. This is our inaugural blog post and we are focusing on the ground truth of CMMC as it is understood today. If you do a quick Google Search you will see a ton of press releases that provide this information and that information about CMMC and frankly, most of it is either assumed or framed to elevate the author’s business prospective and position. So, what is the ground truth and how do you navigate through all of the disinformation that is presented to you? First, go to the horses mouth, the Office of Under Secretary of Defense (OUSD(A&S)) and the CMMC Accreditation Board Second, check here regularly for updates as they are delivered through the CMMC-AB and the OUSD.

Where is CMMC today? Currently, the CMMC-AB has been established, working groups have been formed and CMMC Version 1.02 published. Training for C3PAO and Assessors is under development. That is it in a nutshell.

When do CMMC requirements begin? CMMC Projected dates: June 2020 – CMMC will start to appear in Request for Information (RFI); September 2020 – CMMC will start to appear in Request for Proposals (RFP). Businesses that fall within Levels 1-3 will be the first to adhere with the CMMC requirement. The entire roll out is projected to take up to five years with Levels 4-5 in the later.

Does my company need to become certified? CMMC is required for any and all companies who provide products/services to DOD contracts when Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) is involved. If you produce/supply only Commercial Off the Shelf (COTS) products you will need to achieve Level 1, according to Katie Arrington, OUSD.

When do I need to become certified? You will need to be certified when you bid on/win a contract that has the CMMC identifier within it or when your current contract comes up for renewal so long as CMMC is identifed within the renewal RFI/RFP.

When should I start the process to become compliant? Start today! Right now, NIST 800-171 is the law of the land and compliance with that will put your organization very close to CMMC Level 3. Being proactive within this approach will position you well when CMMC audits begin. You may want to reach out to a reputable company who understands these requirements to assist with your program development and management.

Are there any companies certified to conduct CMMC audits? NO! Currently the C3PAO program is under development. Once the program is outlined, expectations and requirements solidifed, and training materials produced, the first C3PAOs will then be trained and certified to a specified level. C3PAOs will only be allowed to audit to the Level they are certified. With that, individual assessors will also be trained and certified whereby they will work underneath a C3PAO.

What are some of the disinformation floating around?

Timelines – Some pressers have stated that all DOD contractors and suppliers must be certified this year, that is simply not the case. Those companies are trying to push their products/services through fear tactics. Remember, the C3PAO program hasn’t been completed yet, let alone companies and assessors to conduct the audits trained and certified.

Company X is CMMC Certified to Level X – Again, the program is still under development so there are not any companies certified nor will be in the foreseeable 3/6/9 months and with that, the AB is only focusing on Levels 1-3 today.

As a supplier my Prime/Sub will require my organization to meet Level 5 when the contract only requires Level 3 – This is a tricky one. The contract holder needs their supply chain to meet contract obligations. If a contractor places a more stringent certification level on their suppliers then they need for themselves, they will be limiting their ability to fulfill the contract. Levels 4-5 can become very expensive and only a limited percentage of the large contractors will have to certify to this level.

C3PAOs can provide CMMC services and audits for the same company – NO! The DOD and CMMC-AB has made it very clear that the service provider cannot also audit the very program they manage/maintain/advise on. The term coaching has been thrown around, such as “I can coach them on CMMC and then audit them.” Again this is not allowed; just because the service provider uses different nomenclature to get around the service/audit conflict on the surface, the AB will push back on the certification application. If you choose to work within this scenario, you will risk your certification and accreditation.

Thank you all for taking the time to read! Please shoot me an email or leave a comment here if you have any inputs or additional questions I may be able to find the answer for.

Stay tuned for more!