CMMC Requirements Could Be Changing, Potentially Raising Costs for Some

The DoD is proposing new requirements for government contractors regarding CMMC assessment and certification.

CMMC requires third-party assessment of internal cybersecurity practices and processes that will result in a certification level between one and five, with Level 1 denoting the lowest level of compliance and Level 5 denoting the highest. This will allow the DoD to quickly determine the cybersecurity capabilities and institutionalization level of contractors and subcontractors. It is anticipated that most prime contractors will require a Level 3 certification, with Levels 4 and 5 focusing on defending against advanced persistent threats and accounting for less than five percent of the defense industrial base. The DoD has stated it will require CMMC certifications for all sub-contractors in the supply chain, but the required level may not be the same as the prime.

To bid on the next multimillion-dollar contract, only contractors, which include partners and subcontractors, who have met the minimum CMMC Level as denoted in the Request-For-Proposal (RFP) will be accepted. This means an immediate go/no-go decision based on a company’s ability to obtain certification.

The proposed change applies to CMMC level three assessments for companies that handle the department’s controlled unclassified information. Under the changes, for an assessment at level three, Certified Third-Party Assessor Organizations (C3PAOs) would need to hire four full-time provisional assessors rather than one assessor and three “registered practitioners” to conduct a level three assessment.

As defense industry small businesses have grown particularly concerned about the costs and timeline of the CMMC program, this change is increasing fears that CMMC certification will put them out of business, or at least put them out of the running for defense contracts.

Taking it a step further, small businesses testified in congress that CMMC-requirement communication and outreach has often ignored small businesses, and that proposed changes are being made without consideration to the impact on businesses.

“CMMC represents a basic list of cyber hygiene every business needs to comply with in the 21st century,” said Don Lawson, vice president of Cybersecurity & Training Systems for Cybernet Systems Corporation. “The cost of ignoring the threat or doing the bare minimum is significantly more than the cost of compliance and instilling a more secure culture in our small business workforce.”

“The good news,” continued Lawson, “is that there are reasonable solutions available for small businesses. Companies like Cybernet are available to businesses of all sizes to explain the certification process, as well as implement it.”

Read more about the changing requirements on FedScoop.