CMMC Compliance: What U.S. Defense Contractors Need to Know

Is your company prepared for new CMMC requirements from the U.S. Department of Defense (DoD)? This article provides an overview of the changes, the implications for U.S. Defense Prime Contractors and Subcontractors, and next steps to help companies stay compliant. 

New cybersecurity requirements from the U.S. Department of Defense will have significant implications for defense prime contractors and subcontractors who hold existing contracts and subcontracts with the DoD or plan to bid on contracts in the future. 


What Are the Changes?

The U.S. Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) has developed the Cybersecurity Maturity Model Certification (CMMC) framework in concert with the Department of Defense stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the Defense Industrial Base (DIB) sector. 

The CMMC framework is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect: 

  • Federal contract information (FCI) – Information provided by or generated for the U.S. government under a contract and not intended for public release 

  • Controlled unclassified information (CUI) – Information that requires protection consistent with laws, regulations, and government-wide policies 

The CMMC will be used to establish the minimum level of cybersecurity controls that must be implemented and the minimum level at which these controls must be managed in a DIB vendor’s organization in order to work with the U.S. in matters related to defense. 

What Do the New CMMC Requirements Mean For U.S. Defense Companies?

The new requirements have the following implications:  

  • Beginning June 2020, CMMC requirements will be included as a part of DoD solicitations including: requests for information, invitation for bids, and request for proposals making uncertified members potentially ineligible to respond to or participate in bids.  

  • Organizations who intend to work with the DoD must make the entire network—or at least the part of network that processes, stores, and transmits FCI and CUI—compliant with the level of CMMC framework as mandated by DoD.  

  • Without a formally certified CMMC level of cybersecurity from a certified third-party assessor organization (C3PAO), companies in the DIB sector will have challenges providing the appropriate assurance of protecting the CUI. This will increase the risk of being ineligible to participate in U.S. DoD deals.  

What Should Defense Companies Do Next? 

Existing and potential contractors should take steps now to ensure they are compliant with the CMMC framework, to mitigate the risk to their business.  

The new framework outlines five levels of expected cyber hygiene (basic, intermediate, good, proactive and advanced/progressive) and process maturity (performed, documented, managed, reviewed, and optimizing) with each level outlining the expected cyber practices to be implemented. 


Chart of the levels of cyber hygiene 


The CMMC prescribes a total of 171 practices from 17 domains of cybersecurity spread across the five levels. 

Source: Image taken from Cybersecurity Maturity Model Certification (CMMC), Version 1.0. Copyright 2020 Carnegie Mellon University and The John Hopkins University Applied Physics Laboratory LLC. 

Chart of the practices prescribed by the CMMC

Considering the short timeline of formal inclusion of CMMC requirements in U.S. DoD solicitation, defense prime contractors and subcontractors should evaluate their readiness to comply with CMMC before being formally assessed by a certified third-party assessor. 

Source credit: Image taken from Cybersecurity Maturity Model Certification (CMMC), Version 1.0. Copyright 2020 Carnegie Mellon University and The John Hopkins University Applied Physics Laboratory LLC. 


How Can BDO Digital Help Your Company with CMMC Compliance? 

Our cybersecurity team can evaluate your company’s current state against the CMMC framework and help you take steps to reach a suitable level of maturity.  

Our advisors are experienced professionals with a diverse range of backgrounds, including information security, information technology, operations, data privacy, and business advisory. We have extensive experience with cybersecurity frameworks and assessments, including ISO 27001, NIST SP 800-171, PCI-DSS, HIPAA, NYDFS, FFIEC, HITRUST-CSF and many more.