What is CMMC, and How Does it Impact Federal Contracting?

The Defense Department’s Cybersecurity Maturity Model Certification (CMMC) is a multi-level cybersecurity certification system for contractors doing business with the federal government. CMMC codifies cybersecurity practices to ensure an engaged culture of cybersecurity throughout a contractor’s supply chain.

DOD first launched the standard Jan. 31, 2020, and its acquisition and sustainment CISO, Katie Arrington, has been spearheading the effort.

According to the General Services Administration, the system “establishes and verifies that companies within the Defense Industrial Base (DIB) are implementing cybersecurity measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.”

There are five levels to CMMC: the first level requires basic cyber hygiene practices, the second level requires documentation of these practices, the third level requires a top-down plan for implementing and demonstrating these practices, the fourth level requires regular reviews of these practices to ensure compliance and effectiveness, and the fifth level requires standardization and optimization of best cybersecurity practices across the organization.

Contractors must pay for a third-party assessment in order to achieve each level of CMMC.

DOD approved the first third-party assessor for CMMC accreditation, Redspin, June 9. It also approved Kratos Defense and Security Solutions as a third-party CMMC assessor June 16.

By fiscal year 2025, the agency said it is targeting 475 prime acquisitions that include CMMC requirements.

What does this mean for contractors?

By 2026, every contractor with the federal government will need to have at least CMMC Level 1. Until then, only DOD contractors will need to have CMMC Level 1, 2 or 3, depending on the contract. There are currently seven DOD contracts requiring some level of CMMC, and GSA included CMMC language in two of its upcoming contracts: STARS III and Polaris.

What is the industry perspective on CMMC?

Industry views on CMMC are mixed. While cyber experts and contractors acknowledge the need for standardized cybersecurity requirements, many are concerned about the accelerated timeline for implementation and assessment costs. Some members of the industry say DOD has not given clear communication or direction regarding the CMMC rollout.

During a June 24 hearing with the House Committee on Small Businesses, some small business representatives expressed concerns over CMMC assessment costs. Some worry that larger contractors with bigger budgets will edge out smaller companies that can’t afford CMMC assessment.

“An additional mechanism that would ensure more effective implementation is to allow companies to have a Plan of Action and Milestones (POA&M) after a CMMC assessment,” Michael Dunbar, a small business executive testifying on behalf of the HUBZone Contractors National Council, told the committee. “Currently, CMMC certification is an all or nothing process — if an assessor determines your company is at a Level 2 because of only a few factors, there is no way to make the necessary changes and achieve a Level 3 certification. Further, there is no dispute mechanism for companies to challenge a given certification level. This is problematic because assessments are subjective, and companies should have the ability to use a resolution process to settle CMMC assessment disputes, especially small businesses.”

Seth Storie, a Quality Assurance Manager with ArdentMC, a small IT contractor with Amazon Web Services (AWS), said the first level of CMMC involves “basic” cybersecurity measures that everyone should be doing regardless of DOD’s requirements.

“They’re really simple and for the most part there’s really nothing in there that’s a heavy lift for a company to comply — these are things that are the bare minimum,” he said in a CyberCast interview with GovernmentCIO Media & Research.

While Storie agrees with the reasoning and the “spirit” of CMMC, he worries how his company will handle the timelines for certification.

“From a small business standpoint, looking at some of the investments, we really have to think hard about what level we wish to attain and the contracts associated with it,” he said. “There’s almost a bit of a catch-22 because there’s a significant enough investment that you really have to have a contract lined up that you’re going to go after for it to be worthwhile, but then the other side of that is, at that point you’re almost too late, it takes too long to get certified, so because right now the CMMC Accreditation Board is talking about a six-month window between seeking certification and being certified so that’s what’s definitely a concern.”

From DOD’s perspective, “the costs associated with implementing CMMC requirements, supporting the CMMC assessment, and contracting with the C3PAO will be considered an allowed cost,” according to a page on the Office of the Under Secretary of Defense for Acquisition and Sustainment’s website.