CMMC and Alabama Companies

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC program is a new set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense companies from cyber attacks. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” (Level 1 to Level 5). The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award. The DoD delivered CMMC 1.0 standards on January 30, 2020 and later updated to version 1.02.

Helpful links:

See ACCESS Resource page for a copy of the latest released CMMC model and supporting documents.

How will CMMC work?

The DoD will require CMMC certification by a third party prior to any contractor winning a DoD contract. The DoD has appointed a non-profit group, the CMMC Accreditation Body (AB), to oversee the certification process. The AB will certify third-party inspectors. These Certified Third-Party Assessment Organizations (C3PAO) will then certify companies against the different CMMC standards/levels. The C3PAO inspectors will provide companies’ certification levels to the AB for tracking and provision to the DoD. The AB will not make CMMC certification levels publicly available. For more information on the AB, please visit their website: CMMCAB.org

Who are these C3PAO companies?

The CMMC AB will develop the certification criteria and begin certifying C3PAOs in the summer of 2020. UAH will not be seeking C3PAO certification. We will provide updates on the C3PAO certification as the CMMC AB communicates it. Go to the CMMC AB Market Place for the latest on C3PAOs.

How will CMMC impact Alabama companies?

The new CMMC program will require certification for all companies currently doing business with the DoD or who want to do business with DoD. This group of affected companies includes companies supporting the DoD through contracts and subcontracts including services. The DoD estimates that over 300,000 companies will eventually need to be certified. All companies will need at least CMMC Level 1 certification. 

When will CMMC be rolled out?

DoD published the initial set of CMMC standards on January 31, 2020 and quickly followed up with an update in March 2020 (see CMMC Model 1.02). On November 30, the DFARS 252.204-7021 clause went into effect and states by October 1, 2025, all entities* receiving DoD contracts and orders will be required to have the CMMC Level identified in the solicitation (minimum will be a CMMC Level 1).  Between now and then, CMMC will be rolled out on new RFPs. It is estimated that 60% of the DIB will require Level 1 certification and 30% will require Level 3 certification.

*only exceptions are commercially available off-the-shelf (COTS) items or those valued at or below the micro-purchase threshold. 

Who will decide the required CMMC level for each contract?

The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). The DoD is currently developing a plan to educate acquisition professionals on how to set the appropriate CMMC levels for each contract.

How will CMMC compliance be different from compliance with NIST SP 800-171 through DFARS 252.204-7012?

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2. Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.

How will CMMC impact subcontractors?

At a minimum, all subcontractors will be required to carry CMMC Level 1 Certification to continue to participate in DoD contracts so long as your company does not solely produce COTS products and the contract is not below the minimum purchase limit. Additionally, a prime contractor may require Level 3 Certification for a contract while subcontractors may require different levels of certification. Prime contractors will work with contracting officers to determine the CMMC levels required for subcontractors. The process to determine subcontractors’ CMMC certification requirements is still evolving.

What questions do Alabama companies have about CMMC?

If you have any questions regarding CMMC or how it may impact your business, please contact us.

Resources available to Alabama companies on CMMC

The ACCESS team is hosting education seminars and workshops to educate companies on CMMC and the DoD cybersecurity regulations.

ACCESS Seminar and Workshop Schedule

The ACCESS Program provides technical assistance to Alabama companies to help small to medium size companies become ready to meet new DoD cybersecurity requirements.

Assistance Qualification

Other cyber security resources and information is available through ACCESS

Cybersecurity Resources