CMMC and Alabama Companies

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC program is a new set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense companies from cyber attacks. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” (Level 1 to Level 5). The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award. The DoD delivered CMMC 1.0 standards on January 30, 2020 and later updated to version 1.02.

Helpful links:

See ACCESS Resource page for a copy of the latest released CMMC model and supporting documents.

How will CMMC work?

The DoD will require CMMC certification by a third party prior to any contractor winning a DoD contract. The DoD has appointed a non-profit CMMC Accreditation Body (AB) to oversee the certification process. The AB will certify third-party inspectors. These Certified Third-Party Assessment Organizations (C3PAO) will then certify companies against the different CMMC standards/levels. The C3PAO inspectors will provide companies’ certification levels to the AB for tracking and provision to the DoD. The AB will not make CMMC certification levels publicly available. For more information on the AB, please visit their website: CMMCAB.org

Who are these certified C3PAO companies?

No company is a C3PAO at this time. The CMMC AB is will develop the certification criteria and begin certifying C3PAOs in the summer of 2020. UAH will not be seeking C3PAO certification. We will provide updates on the C3PAO certification as the CMMC AB communicates it.

How will CMMC impact Alabama companies?

The new CMMC program will require certification for all companies doing business or who want to do business with DoD. This group of affected companies includes companies indirectly doing business with DoD through subcontracts as well as companies that sell commercial products or services to DoD. The DoD estimates that over 300,000 companies will eventually need to be certified
All companies on contract with the DoD will need at least CMMC Level 1 certification. 

When will CMMC be rolled out?

DoD published the initial set of CMMC standards on January 31, 2020 and quickly followed up with an update in March 2020 (see CMMC Model 1.02). Companies will have the ability to be certified in the coming months while CMMC language will start appearing in Requests for Proposals and Requests for Information as soon as the Summer of 2020. By 2026, all new DoD contracts will require an appropriate level of CMMC certification.

Who will decide the required CMMC level for each contract?

The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). The DoD is currently developing a plan to educate acquisition professionals on how to set the appropriate CMMC levels for each contract.

How will CMMC compliance be different from compliance with NIST SP 800-171 through DFARS 252.204-7012?

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2. Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.

How will CMMC impact subcontractors?

At a minimum, all subcontractors will be required to carry CMMC Level 1 Certification to continue to participate in DoD contracts so long as your company does not solely produce COTS products. Additionally, a prime contractor may require Level 3 Certification for a contract while subcontractors may require different levels of certification. Prime contractors will work with contracting officers to determine the CMMC levels required for subcontractors. The process to determine subcontractors’ CMMC certification requirements is still evolving.

What questions do Alabama companies have about CMMC?

If you have any questions regarding CMMC or how it may impact your business, please contact us.

Resources available to Alabama companies on CMMC

The ACCESS team is hosting education seminars and workshops to educate companies on CMMC and the DoD cybersecurity regulations.

ACCESS Seminar and Workshop Schedule

The ACCESS Program provides technical assistance to Alabama companies to help small to medium size companies become ready to meet new DoD cybersecurity requirements.

Assistance Qualification

Other cyber security resources and information is available through ACCESS

Cybersecurity Resources