government building

Cybersecurity Maturity Model Certification (CMMC) raises the bar for contractors

The United States Department of Defense (DoD) will soon require all organizations conducting business with the DoD (i.e., defense contractors) to achieve a Cybersecurity Maturity Model Certification (CMMC) involving verification from independent auditors, which is expected to have an impact across the Defense Industrial Base (DIB). What can contractors do now to prepare their organizations to meet these new requirements?


The DoD is developing the CMMC framework in collaboration with Carnegie Mellon University’s Software Engineering Institute and Johns Hopkins University’s Applied Physics Laboratory, and released CMMC Model Revision 0.4 (DRAFT) earlier this month for public comment. The DoD is targeting final release of the CMMC framework, Revision 1.0, by January 2020.

The CMMC framework is considered to be a major development in the cybersecurity regulatory landscape, and will have significant impacts on defense contractors of all sizes. Following release of this framework, all defense contractors will eventually be required to achieve a CMMC – involving an audit to be conducted by an independent and qualified third-party organization – in order to conduct business with the DoD.

Not only will the DoD require defense contractors to comply with these new requirements, but it will also require contractors to flow these requirements down across their supply chains, adding additional subcontract oversight and risk burdens to higher-tier contractors.

CMMC overview and background

The DoD intends to use the CMMC framework as a mechanism for managing cybersecurity risk across the DIB – specifically with respect to protecting Controlled Unclassified Information (CUI) – through independent audits to verify defense contractors’ cybersecurity posture. Results of these audits will become discriminators within the DoD’s solicitation and award processes.

In addition, the DoD aims for the CMMC framework to expand and improve upon existing guidance for adequate cybersecurity controls, aligning cybersecurity safeguarding requirements with contractors’ risk exposure when handling CUI in performance of DoD contracts.

The CMMC framework does not replace current regulations and standards, such as DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” and NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Rather it will build upon existing guidance by introducing additional standards that transition away from the current self-reporting regime, to a new regime involving an independent verification process relative to defined risk considerations based on scope and requirements of respective DoD contracts.

Key elements of the CMMC framework

While development efforts are still very much in progress, based on information provided by the DoD as of this alert date (see DoD CMMC website here: CMMC), the CMMC framework will include but not be limited to the following key elements:

  • The CMMC framework will be based on various standards and best practices, including NIST SP 800-171, NIST Cybersecurity Framework (CSF), ISO 27001-2013, CIS Critical Security Controls (CSC), DIB SCC TF WG Top 10, CERT Resilience Management Model, and other sources.
  • The framework will map “practices and processes” to maturity levels ranging from 1 (basic) to 5 (advanced) where each level contains specific practices and processes necessary to mitigate increasing degrees of cybersecurity risk (i.e., maturity).
  • Any organization conducting business with the DoD, whether as a prime or subcontractor, will need to achieve, at minimum, a level 1 CMMC regardless of whether they are using or handling CUI in performance of those contracts.
  • The DoD will require organizations seeking to achieve a CMMC to engage an independent and qualified third-party organization to conduct an audit to determine the level of maturity achieved.
  • The DoD’s framework will contain instructions and guidance for third-party auditors. It is unclear to us how many professional services providers will enter this market, because liability for an auditee cybersecurity breach could be significant.
  • The DoD plans to publicize the CMMC certification levels achieved by defense contractors; however, detailed information regarding deficiencies (i.e., gaps) identified during audits will not be made public.
  • The DoD envisions an affordable and cost-effective CMMC certification process, and has publically confirmed the allowability of costs reasonably incurred to achieving certification.
  • The DoD plans to include CMMC requirements within Requests for Information (RFI) and Requests for Quote / Proposal (RFQ / RFP) by June and Fall 2020, respectively; keep an eye on sections L and M.

What should contractors do now to prepare for CMMC?

The CMMC framework is still under active development, and the DoD doesn’t expect to provide the full details of the complete framework to the public until January 2020 at its earliest. Defense contractors should, however, begin preparations towards achieving a CMMC now, or as soon as possible.

Given that the DoD is building the CMMC framework mostly upon existing guidance and standards, we recommended that – at minimum – defense contractors begin conducting self assessments of their cybersecurity capabilities against NIST SP 800-171 security requirements. Consider engaging third party organizations that specialize in facilitating such assessments.

In addition, defense contractors should assess their supply chain management (SCM) capabilities to identify where they need to strengthen processes and controls around flowing down, monitoring, and managing cybersecurity safeguarding requirements relative to DFARS 252.204-7012, NIST SP 800-171, and DCMA’s Contractor Procurement System Review (CPSR) Guidebook.

By conducting such assessments, defense contractors can identify proactively any deficiencies and begin corrective actions to position themselves for CMMC. Early action in this regard will reduce the risk of being precluded from DoD business opportunities while preparing to become certified. Depending upon the CMMC maturity level required, implementation of cybersecurity controls may be time consuming, requiring a commitment of resources both in terms of people and funding. This heightens the urgency for acting now rather than waiting for release of the CMMC framework.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

Source – Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification (CMMC) Website:

Next up

Seven financial policies to review during budget season