By Scott M. McAuliffe, CPA, CISA, CFE, Partner, Risk Advisory Services
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
CMMC program requirements and timelines for DoD prime and subcontractors
On February 23, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) held a Town Hall Meeting to provide updates on the CMMC program rollout and provide answers to the most frequently asked questions. As with the previous town hall meetings, the CMMC AB and the DoD continue to provide greater clarity on the program requirements and timelines.
Overview of CMMC Accreditation Body Town Hall Meeting
For DoD prime and subcontractors, the most significant topics that were discussed and answered during the meeting were:
- The DoD has begun performing “pilot” CMMC assessments. For 2021, the DoD is selecting 15 contracts that will require CMMC assessments. The table below details the Service/Agency and Programs that were selected to have CMMC pilot assessments performed. From these Programs, the DoD has already selected 14 of the 15 contracts that will require CMMC assessments and held kick-off meetings for nine of these contracts.
Service/Agency and Programs Selected for CMMC Pilot Assessments
- The DoD is providing training to Government program managers and contract officers to ensure they understand the CMMC Maturity Levels (MLs) and how to determine the correct Maturity Level(s) for the contract. The DoD does not want contract officers to define all contracts at ML-3. The DoD believes that over 60% of DoD contracts will only need ML-1 certification.
- If a contract has the DFARS 252.204-7019 clause requirement, the prime contractor will be required to have a current NIST SP 800-171 DoD Assessment posted in the Supplier Performance Risk System (SPRS) to be eligible for contract award. Prior to awarding these contracts, a contract officer will review the SPRS to verify the contractor has a score in the system.
- If a contract has DFARS 252.204-7020 clause requirement, the prime contractor must flow-down the clause, and ensure applicable subcontractors have the results of a current Assessment posted in SPRS prior to awarding subcontract/other contractual instruments.
- The CMMC AB has stated in its guidelines that the practices must be in place and operating for a contractor to “pass” a specific requirement. Contractors and organizations assisting contractors with readiness activities have been requesting further guidance on how long a practice needs to be operating to be consider “in place.” The CMMC AB has not yet developed this guidance.
- For ML-1 through ML-3 certifications, contractors can include the CMMC costs into their overhead rates. For contracts with ML-4 or ML-5 requirements, the cost can be direct billed to the program.
- The CMMC AB is still in the process of evaluating whether reciprocity will be granted for organizations that have other certifications such as ISO 27001 or FedRAMP.
- There were many questions on the use of cloud providers and the impact CMMC has on the providers that a contractor might use. Contractors will need to evaluate their third-party cloud providers that have access to the Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to ensure the providers can demonstrate that they have the appropriate practices/policies in place in accordance with their CMMC maturity level.
Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.