The Department of Defense under the Secretary of State has recently created the new CMMC (Cybersecurity Maturity Model Certification) program. This program was begun in response to the high amount of government contractors with access to CUI (Controlled Unclassified Information) who have not achieved DFARS (Defense Federal Acquisition Regulation Supplement) compliance.
What this means:
- All government contractors and their suppliers with CUI data will now be required to comply with both DFARS regulations and CMMC accreditation.
- The CMMC rating audit will be performed by specific, certified third-party auditors. The scale ranges from 1 as the lowest and 5 as the highest. To access CUI data, a 3 or 4 rating is generally required.
- Starting in the Fall of 2020, RFP’s (Request for Proposals) will have the CMMC (Cyber Security Maturity Model) requirement. It will appear in at least 10 main net new contracts affecting 1500 businesses. These contracts have not been determined. The ranking attached to the contract will be determined during the RFI (Request for Information) process in the summer requirement. This means that, to acquire a level 3 CMMC contract, you will need to be certified at the same level.
- SSP’s and POA&M’s will no longer be an acceptable deferment program for CMMC certification.
How F1 can help your business
F1 Solutions is happy to act as your trusted advisor for all things CMMC. We are able to consult on Gaps that exist in your environment based on current CMMC and DFARS controls. We are able to advise you on remedial actions and provide the products and services to help meet controls from these regulations and standards. No one is an expert in CMMC right now since the program is still so new and being developed. However, F1 is making huge efforts to stay up on the latest information coming from the CMMC group and the accreditation board. We have already reached out to several industry partners who’s intent is to become a C3PAO auditor and are working through some logistics at this point. If F1 is not able to certify clients that we have a consulting relationship with, then we will be able assist and identifying the right third party partner to work with.