DoD government contractors know that CMMC Compliance is critical. They also know that the Compliance process can be complex and confusing. Each webinar in our CMMC Compliance series is designed to provide you with a solid understanding of the new DFARS requirements. Our goal is to help you “connect the dots” in the complex CMMC Compliance process.
Working with ATS is a breath of fresh air. ATS takes our information security concerns seriously and advises us how to avoid potential pitfalls with both hardware and software. We are beyond thrilled with ATS and only wish we had selected them a year earlier.
Joseph A. AppelbaumPresident & CEO, Potomac Companies, Inc.
ATS has been our trusted partner in recent upgrades we have made to our IT infrastructure and cyber security. Their account management, project management, and technical teams have all provided top-notch service, guiding us to make informed decisions, managing timelines for multiple projects, and most of all, listening to our needs and making recommendations based on our unique work environment. During the transitions, they have kept us operating smoothly and provided quick and helpful support through their Help Desk.
I just wanted to take a moment to reach out and thank you for the excellent service you and your team have provided with the hosted SIEM solution. AlienVault is great, but the real value comes from your partnership. The appliance would not do nearly as much for us without your monitoring and consulting services. You have always been on top of things and there for us whenever there is an incident. I feel confident in that our network is secure and I am able to report that our board and clients with full assurance.
The Department of Defense (DOD) has published a new set of cybersecurity requirements for doing business with the Department: The Cybersecurity Maturity Model Certification (CMMC). By 1 October 2025, every DOD contractor will be required to obtain a CMMC certification.
CMMC compliance is critical to DoD contractors, but the CMMC compliance process can be complex and confusing.
Register now for the 1st in our free live webinar series, Wednesday, February 3 at 1 p.m. EST.
Why is CMMC Necessary?
Unfortunately, the Defense Industrial Base (DIB), comprised of an estimated of 220,000 companies, lacks adequate cybersecurity. Intellectual property theft from the DIB costs companies an estimated $600 billion annually. Recognizing the problem and the devastating economic impacts on the government and industry, the DOD has unveiled the CMMC as the path towards hardening the DIB.
The Secretary of the Navy published a Cybersecurity Readiness Review in March 2019 which states, “The systems the U.S. relies upon to mobilize, deploy and sustain forces have been extensively targeted by potential adversaries, and compromised to such extent that their reliability is questionable.” The report continues, “Despite forward-leaning efforts by the DIB Executive Steering Committee (ESC), the DIB continues to hemorrhage critical data.”
Organizations of all sizes are attacked on a daily basis, and without a robust cybersecurity program in place, those attacks go unnoticed by the victims– even the successful ones. While cybersecurity is not a new requirement in DOD acquisition, the CMMC makes cybersecurity foundational in all contracts.
Making Security Foundational
The CMMC requires cybersecurity controls to be verified by an independent third party called CMMC Third-Party Assessor Organization (C3PAOs.) Certified assessors employed by C3PAOs will conduct assessments of DOD contractors’ unclassified networks. Upon a successful assessment of a company’s unclassified network, the C3PAO will grant that company the appropriate CMMC certification. A CMMC certification is not required to bid on a DOD contract, but a company bidding on a contract with the CMMC requirement must be granted a CMMC certification at the DOD directed Maturity Level (or a higher level) by the time of contract award.
As stated by Andy Stewart, Senior Federal Strategist, Cisco, “This [the CMMC] couldn’t come at a more critical time. The aftermath of the SolarWinds hack is a sharp reminder of the importance of securing supply chains from cybersecurity vulnerabilities.”
Publication of CMMC and the CMMC Accreditation Body
DOD released Version 1.0 of the CMMC in January 2020, and an updated version (Version 1.02) in March 2020.
In January 2020, the CMMC Accreditation Body (CMMC-AB) was formed by a volunteer group of cybersecurity and consulting professionals from across the United States. The CMMC-AB has been charged by the DOD with training and certifying the cadre of CMMC assessors that will grant CMMC certifications to the entire DIB.
Who is Impacted by CMMC? Do We Really All Need It?
Every organization doing business with the DOD will need to get certified-except those companies that solely produce Commercial-Off-The-Shelf (COTS) products and companies with contracts below the micro-purchase threshold. Every DOD contractor will need to achieve at least a CMMC Maturity Level 1, which is equivalent to the FAR 52.204-21 requirements to safeguard Federal Contract Information (FCI). Any company that processes, transmits, stores, or otherwise handles Controlled Unclassified Information (CUI) will need to achieve at least a CMMC ML 3.
The CMMC Maturity Levels
Each CMMC maturity level has associated controls and processes. The CMMC adds additional requirements to the NIST SP 800-171 controls, necessitating more elevated controls at each higher maturity level. Each of the maturity levels are cumulative, meaning that to achieve ML3 a company must also comply with ML 1 and ML 2.
While the CMMC ML1 through ML3 are based on NIST SP 800-171 Revision 2, the CMMC domains vary slightly from the NIST domains [families].
DFARS Interim Rule
On December 1, 2020, the interim rule which amends the DFARS to implement the CMMC went into effect. In addition to introducing the DFARS clause implementing the CMMC, this rule amends DFARS subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, to implement the NIST SP 800-171 DoD Assessment Methodology.
While the DFARS interim rule directs the inclusion of the new DFARS clauses into new solicitations gradually over the next few years, the DoD and large prime contractors have already begun to require companies to conduct a NIST 800-171 self-assessment and report the score into SPRS, even if companies do not process, transmit, or store CUI.
Roadmap to Certification – Register for the Webinar
CMMC compliance is two things.
Absolutely critical for defense contractors
Nuanced and confusing
With a series of free webinars, ATS will provide all of the keys necessary to understand CMMC compliance starting with “NIST 800-171 Self-Assessment and the CMMC,” Wednesday, February 3 at 1 p.m. EST. In subsequent webinars, we’ll cover other topics that will help you get and maintain that critical CMMC Compliance certification.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.