The Cybersecurity Maturity Model Certification (CMMC) is an accreditation process developed by the Department of Defense (DoD) that measures the cybersecurity maturity of government contractors. Once implemented, all organizations that do business with the DoD will need to meet CMMC requirements to be awarded a DoD contract. There are five levels of certification based on the types and sensitivities of the data and information that contractors need to access, store and protect. CMMC organizes business processes, practices and capabilities into 18 domains, which in turn contain numerous specific security requirements. Click below for more detailed information on CMMC and how it will affect organization when doing business with the DoD.  
 

Purpose

CMMC is intended to ensure organizations are using appropriate levels of cybersecurity practices and processes to protect controlled unclassified information (CUI) on the DoD’s industry partner networks. The DOD is planning to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB), an ecosystem of approximately 300,000 companies of all sizes across multiple industries that sell products and services to the DoD.

Affected Parties

Although it has not been implemented yet, CMMC will require technology vendors, channel partners and systems integrators selling to the DoD to make investments in their cybersecurity capabilities if they want to obtain certification. What should you expect?

According to the Office of the Under Secretary of Defense for Acquisition and Sustainment, CMMC assessment costs will depend upon several factors including the CMMC level, the complexity of the DIB company’s network and other market forces. The goal is for CMMC to be cost-effective and affordable for all companies.

Still, technology vendors, channel partners and systems integrators needing CMMC accreditation will have to plan for expenses: assessment costs, remediation costs and changes to business processes. Remediation costs will depend on the current strength of a company’s security posture. Organizations with strong security will have fewer issues to mitigate and lower mitigation costs. The size and complexity of the company is also a factor. An organization of 300 people faces a less expensive task than a company of 15,000. The sensitivity of the data under the company’s control is another key determinant: if a company handles classified data, they will need a higher level certification and can expect to spend more than an organization processing information at a lower sensitivity level.

Timeline

As of September 8, 2020, the DoD has not set an exact date on when certifications will be required. However, it is likely that early-to-mid 2021 is a reasonable target date. Once this occurs, companies will be allowed to bid on an request for proposal (RFP) even if they have not been certified, but if the RFP includes a CMMC requirement, a company will not be awarded a contract until they are certified.

Accreditors

Third-party organizations, or CMMC Third-party Assessment Organizations (C3PAOs), will measure a company’s security posture against these domains and provide a certification at one of the five levels. There are currently no C3PAOs authorized to provide CMMC accreditation. However, there has been a down-select to about 70 potential companies.

CMMC Resource Information

Access whitepapers, case studies and other educational resources related to CMMC below or listen to on-demand webinars to see how CMMC will impact your organization.

Padlock resting on an open palm. Text reads: CMMC Update. Upcoming Virtual event. Preparing our Partners for CMMC
Preparing Our Partners for CMMC — DLT is holding a CMMC panel discussion to help prepare your organization for the impending DoD requirement. As a DLT partner, we offer you the unique opportunity to join our webinar and gain key insights about CMMC from leaders at DLT, Coalfire, and the DoD, including Stacy Bostjanick, Director of CMMC Policy for the OUSD A&S.

Watch On-Demand Today
Padlock in a cloud. Text Reads: Plan and Prepare for DoD’s CMMC Compliance in a Cloud-based Environment
Plan and Prepare for DoD’s CMMC Compliance in a Cloud-based Environment — DLT and Coalfire have partnered to help examine the intricate certification levels and controls to the Department of Defense's CMMC compliance, with additional details of the impact in management of workloads in the cloud.

Watch On-Demand Today
Hand on a laptop with various padlocks swirling around. Text Reads: Automation and CMMC
Automation and CMMC — Meeting the network documentation, vulnerability analysis, and remediation requirements specified in the CMMC can be a daunting manual task. Learn how NetBrain automation can reduce the time and manpower requirements by upwards of 90%.

Watch On-Demand Today
Team of women and men staring intently at a series of monitors. Text reads: Does Your Organization Know the Security Posture of Your Federal Contractors?
Does Your Organization Know the Security Posture of Your Federal Contractors? — Jake Olcott, VP of Government Affairs Communications, BitSight, one of the leading security ratings service providers and Don Maclean, Chief Cybersecurity Technologist from DLT, discuss what to look for when selecting the third party risk management solution

Watch On-Demand Today
Padlock hovering over a man's upturned hand. Text reads: CMMC: A Challenge and an Opportunity
CMMC: A Challenge and an Opportunity — CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene, as well as protect CUI that resides on the industry partners’ networks. Read DLT’s whitepaper today to get a better understanding.

Read the Whitepaper

CMMC Articles

Stay up-to-date with the latest developments in CMMC. It is constantly evolving, so staying informed of how it will impact your business with the DoD will better prepare your organization for success. Get the latest information below.

Distant view of helicopter on the tarmac. Text reads: The CMMC and continuous monitoring – is it a good idea?
In April of this year, the CMMC advisory board issued an interesting RFP that caught a few off guard and raised a lot of questions among the defense industrial base (DIB). That RFP involved the creation of a continuous monitoring portal. This RFP seemed rushed to some, and raised concern among others.

Read the Article
Outline of the globe against a backdrop of connected hexagons. Text reads: CMMC V1.0 – what is it and will it work?
The Cybersecurity Maturity Model Certification (CMMC) has a potential impact on small- and medium-sized government contractors. The Department of Defense (DoD) is taking incredible steps to ensure that the CMMC doesn’t keep small companies from working with and selling to the government.

Read the Article
Soldier in full gear with data loading on a screen. Text reads: CMMC for SMBs – What should smaller contractors expect?
We know that the adversary looks at our most vulnerable link, which is usually 6-7-8 levels down in the supply chain. This has been a common theme among government and military cybersecurity experts and professionals over the past few years.

Read the Article
Composite of hooded figures with overlay of binary numbers and stars to resemble the US flag. Text reads: What your organization needs to know about CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a new requirement from the U.S. Department of Defense (DoD). It mandates that DoD contractors obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet “basic cyber hygiene.”

Read the Article
Focused image of Soldier's hands typing on a laptop. Text reads: General Dynamics – Ordnance and Tactical Systems CISO Talks Best Cyber Practices in Defense Industrial Base
The movement towards remote work and digital tools over the past few months has resulted in a massive change in the amount of data flowing over networks and has drastically increased the importance of advanced IT tools and capabilities across the DoD and the Defense Industrial Base (DIB).

Read the Article

 

 

CMMC Blogs

What are the “boots on the ground” saying about CMMC? Get vital information from DLT that will give visibility into the latest CMMC developments and see how technology providers, channel partners and systems integrators are preparing for accreditation.

Cybersecurity October 29, 2020
If your business sells products or provides services to the Department of Defense (DoD), then you should know about the Cybersecurity Maturity Model Certification (CMMC) program. 
October 21, 2020
DoD has recently incorporated CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS Case 2019–D041, available here https://bit.ly/30LXAeE).  The rule change is currently open for public comment, and I urge all interested parties to read it and provide input.  
Cloud July 1, 2020
In previous years you would have ventured to our nation’s Capital to take part in the AWS Public Sector Summit. This year’s event – as you could imagine – was a virtual experience. Although I and my fellow DLT colleagues wished we could have been there in person, we really enjoyed our time at this year’s Summit. Much like what has been the theme of 2020, AWS had to adapt and innovate to these unprecedented times. They certainly rose to the occasion and put together a unique and valuable experience for their attendees.
Cybersecurity March 20, 2020
Last week, my associate, Shane Rogers, shared an article on GovCybersecurityHub discussing the Cybersecurity Maturity Model Certification (CMMC) and its potential impact on small- and medium-sized government contractors.
IT Perspective January 6, 2020
2019 has ended with more uncertainty than normal—even than the federal government is used to. Last year at this time, of course, Christmas brought the advent of a record-long lapse in appropriations for about half the departments and agencies. The exceptions of Homeland Security, Defense and Veterans Affairs kept IT dollars flowing, but the partial shutdown left its mark nonetheless. The ugly impeachment process working its way down the hall from the house to the Senate might be a psychic distraction but will have no effect on IT procurement.