Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

DoD’s Cybersecurity Maturity Model Certification Is Here: What Your Business Needs to Do to Prepare

Share

On September 1, 2020, Department of Defense (DoD) contractors will be required to comply with the recently released Cybersecurity Maturity Model Certification (CMMC) requirements. The CMMC requirements are designed to ensure that suppliers, contractors and subcontractors working with the DoD’s Office of Acquisition and Sustainment have cybersecurity frameworks in place “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).” Through the creation of the CMMC, DoD appears to be enhancing the requirements of NIST 800-171, ISO 27001 and other cybersecurity-related frameworks.

The CMMC model delineates five “maturity” levels, with level 1 being the least secure and level 5 being the most secure. Once the CMMC takes effect, DoD will assign all solicitations an appropriate maturity level that bidders must be able to meet if they wish to bid on the solicitation.

Potential bidders also will have to meet 17 “security domains” within each of the five maturity levels of the CMMC. These maturity levels are cumulative, meaning that if a company wants to certify at level 3 under the CMMC requirements, it would also have to comply with all of the requirements of levels 1 and 2. Thus, a winning level 5 bidder could be required to comply with up to 171 different cybersecurity requirements in order to meet CMMC certification guidelines. The level of maturity that a company will need to obtain will be based on the amount of sensitive data, Controlled Unclassified Information (CUI), and unclassified data that requires specific safeguarding that the company works with or plans to work with as a DoD contractor or subcontractor.

One of the most notable aspects of the CMMC requirements is that it they prohibit contractors and subcontractors from “self-certifying” their cybersecurity readiness. Under the CMMC, contractors will need to have an official, independent third-party assessment organization (“C3PAO”) conduct a formal certification inspection to ensure that the DoD contractor is in strict compliance with the CMMC requirements. Failure to comply with the requirements of a particular maturity level renders the contractor unable to bid on new DoD solicitations that require the maturity level in question. Although the CMMC guidelines currently do not appear to be retroactive, DoD solicitations will begin referring to CMMC requirements as early as June 1, 2020, and the requirements will become mandatory on September 1, 2020.

Given the impending deadlines, the time for DoD contractors and subcontractors to start preparing to comply with the CMMC requirements is now. Faegre Drinker’s team can assist in the preparation process, including, among other things, the C3PAO compliance process. The firm also has prepared an assessment and compliance tool to assist businesses in achieving maturity levels 1 through 5 and in developing the necessary policies, procedures and gap analyses to comply with the CMMC requirements.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Peter Baldwin

Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

April 15, 2020
Written by: Peter Baldwin and Jason G. Weiss
Category: Cybersecurity, Privacy
Tags: CMMC, cybersecurity, department of defense

Post navigation

Previous Previous post: New York Department of Financial Services Issues New Guidance Regarding COVID-19 Cybersecurity Risks
Next Next post: COVID-19 Consumer Data Protection Act of 2020 Seeks to Regulate Collection, Use of Geolocation, Personal Health Information

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT