Insights | ,

Government Contractors: When it Comes to CMMC, it’s Better to be Proactive

September 29, 2023

At a glance

  • Main takeaway: Despite launch delays and uncertainty, CMMC will be a requirement for many government contractors and will affect how the Department of Defense awards contracts. If you start preparing now to achieve CMMC compliance, it will give you a leg up on your competition.
  • Impact on your business: For some businesses, it can take months to achieve CMMC compliance thus risking the opportunity to secure profitable government contracts resulting in a significant financial burden.
  • Next steps: Aprio’s Digital Advisory Services team is a CMMC Registered Provider Organization (RPO) and can perform an assessment to help you achieve your CMMC certification.

Are you ready to learn more? Schedule a conversation with our team.


The full story:

The implementation of the Cybersecurity Maturity Model Certification (CMMC) has been riddled with false starts, leading to compliance fatigue among government contractors like yourself. Nevertheless, CMMC is now a reality, and it’s not a question of whether the Department of Defense (DOD) will enforce CMMC certification, but rather when it will happen.

CMMC-VS-Fed-Ramp-Oasis chart
  • DOD has completed the CMMC update, and it is undergoing review at the Office of Management and Budget (OMB). At that point, it is likely that the CMMC standard will be deployed, either as a final rule or an interim final rule. CMMC will likely begin to be phased into contracts as early as Q1 2024 but no later than Q1 2025.
  • A small business should expect that a CMMC implementation will take up to 12 months to be fully implemented. Your business should move expeditiously to implement CMMC in anticipation that contracts may require a commitment to CMMC compliance for participation.

You might think that being NIST 800-171 compliant is enough and that CMMC certification is unnecessary. However, the situation has evolved, and it’s no longer a choice between the two for DOD contracts. The DOD prioritizes cybersecurity and aims to ensure that all government contractors, including those beyond the Defense Industrial Base (DIB), are well-equipped to safeguard sensitive government data they’ll handle. Consequently, to bid for and secure future DOD contracts, government contractors must now meet both NIST 800-171 and CMMC compliance requirements.

Be proactive and start making progress

Don’t let compliance deadlines catch you off guard. For many companies, CMMC compliance could take months to implement, and delaying CMMC certification could put your company at risk of being excluded from lucrative government contracts or face financial strain to meet the certification requirements. Since the compliance runway will likely be short, achieving CMMC certification early will give you a competitive edge and minimize potential stresses and challenges along the way. By taking proactive steps today, you will demonstrate your commitment to cybersecurity and position your company as a reliable partner for the DOD and other federal government agencies.

It’s all about data protection

There are two types of data that government contractors must be able to protect — Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI consists of the terms, conditions and other information that is not intended for public release. Whereas CUI consists of information that does not fall under the various classification levels, but still requires strict security protections.

While cybersecurity guidance from the DOD for government contractors is not new, requiring CMMC certification will provide a way for contractors to prove they have strong cybersecurity programs in place and can protect FCI and CUI data. To reinforce the importance of safeguarding DOD information, CMMC restructured their security model switching from five levels to three levels that are closely aligned with NIST 800-171r2. NIST SP800-171r3 is currently in draft mode, and the CMMC 2.0 levels 1 and 2 are currently published. We are likely to see a revision in the CMMC standard to bring it into line with the NIST 171R3 standard, but today we currently have the following: : NIST SP 800-171r3 initial public draft, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

  • Level 1, also known as “Basic Cyber Hygiene,” consists of 17 controls within four domains — physical access, operations and maintenance, documentation and knowledge sharing, and system access. This is the bare minimum security your company should be actively doing, especially in today’s environment.
  • Level 2, also known as “Intermediate Cyber Hygiene,” consists of 110 controls that are more closely aligned with NIST 800-171. In order to be certified as Level 2 compliant, you must go through an assessment by a CMMC Third-Party Assessor Organization (C3PAO).
  • Level 3, also known as “Advanced,” has not been published yet. Certification at CMMC Level 3 will first require a Level 2 Certification audited by a CMMC 3rd Party Assessment Organization (C3PAO). After Level 2 Certification has been completed, the organization would be audited separately by a DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) team if required.

The bottom line

On average, it will take 12 months to assess an organization’s ability to commit to the protection of CMMC data elements and establish those security controls required under the standard. Don’t let the “will they or won’t they” catch you off guard and leave you unprepared to achieve CMMC certification. It’s better to be proactive rather than reactive because if you achieve your CMMC certification now, it can put you at the top of the pack, even over well-established contractors who are not yet certified, and one step closer to securing lucrative government contracts.

As a CMMC Registered Provider Organization (RPO), Aprio’s Digital Advisory Services team can perform an assessment to determine where you are at today, identify any gaps compared to the standard and develop a readiness plan to help you achieve your certification. Schedule a conversation today.

Related Resources

Migrating to the Cloud: Security Should Be Your Priority, Not an Afterthought
Due Diligence Through a Cybersecurity Lens
About Aprio’s Digital Advisory Services

Stay informed with Aprio.

Get industry news and leading insights delivered straight to your inbox.

Subscribe

Stay informed with Aprio. Subscribe now.

Recent Articles

>

3 GSA Trends in the Office of Inspector General Audits and Investigations

>

How ISO 27001 and 27701 can help address client’s GDPR needs

>

Navigating the Nonprofit Landscape: Information & Communication Components of Internal Control Frameworks

>

Understanding the Contrast: IRS Rules on Allocation of Intangible Property Income vs. OECD DEMPE Rules