What the New CMMC Mandate Means for Defense Contractors

By September 9, 2020blog
What the New CMMC Mandate Means for Defense Contractors

Ten years ago, defense contractors and supply chains were wrapping their heads around the Defense Federal Acquisition Regulation Supplement, or DFARS. This mandate required Department of Defense contractors to adopt and abide by cybersecurity standards according to the NIST SP 800-171 framework.

But given that adoption of DFARS has been slow, contractors must now shift their focus to the new Cybersecurity Maturity Model Certification, or CMMC. CMMC was developed to ensure cybersecurity standards are being properly assessed and adhered to and address security requirements throughout the defense supply chain.

Here’s what CMMC  means for defense contractors and what you can do to prepare for CMMC compliance:

What to Know About CMMC

Cybersecurity issues are increasing around the world. Industries of all sorts and sizes are ramping up efforts to protect mission-critical information, particularly in light of massive security data breaches and foreign interference in the 2016 elections.

You could say that the introduction of CMMC during an election cycle comes at the perfect time, where cybersecurity and information integrity and protection are on the minds of millions of Americans. The goal is to ensure all defense industry companies are taking every precaution to protect critical data throughout the supply chain.

Exploring the CMMC Rollout

CMMC expects to present five possible maturity levels, starting with safeguarding Federal Contract Information (Level 1), then moving to securing Controlled Unclassified Information (Level 3), and reaching full maturity in reducing the risk of Advanced Persistent Threats to national security (Level 5).

What makes CMMC different from DFARS is that companies will need to obtain CMMC certification prior to being awarded a contract. The new standards will impact any company doing business with the Department of Defense, either as a prime contractor or a subcontractor.

The full timeline for the CMMC rollout expects to end sometime in 2026. RFIs and RFDs expect to introduce CMMC as early as October 2020. Estimates show that more than 300,000 companies will experience an impact, most of which are small- and medium-sized businesses that tend to participate in more non-traditional and non-procurement contracts.

How Defense Contractors Should Start Preparing for CMMC

Since smaller companies make up the bulk of who will be most impacted by CMMC, unique challenges arise regarding certification. Smaller companies typically have fewer resources to allocate toward cybersecurity investments;  achieving the certification may be a longer and more costly process.

However, companies should also realize that CMMC presents a number of new opportunities, too. For starters, gaining early certification can allow CMMC to serve as a competitive advantage and help them progress toward maturity. It will allow these companies to bid on more contracts and avoid potential backlogs during assessment.

Also, foreign entities are looking to adopt CMMC standards, which may enable American companies’ access to more export opportunities.

We’ll keep you updated on any news or changes on CMMC as we hear it. Until then, head back to the AeroMed blog for more insights.