Do you have questions about the new cybersecurity certification? If so, this episode will help you answer those questions. We sat down with Adam Austin from Totem Technologies to discuss How to Navigate the CMMC Certification. You will learn about the current requirements for DoD contractors, how those requirements are currently being assessed, how the CMMC model is going to impact small businesses, and a lot more.
CMMC Q & A with Adam Austin:
Q: What is CMMC?
A: Stands for Cybersecurity Maturity Model Certification (CMMC). It is a new requirement for ALL Department of Defense contracts starting in the fall of 2020 or sometime in 2021. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
Q: Where is the government on implementation? Launch date?
A: New CMMC requirements will be included in an extremely limited subset of RFI/RFP in either September or November of 2020.
Q: Will DoD require companies to be certified BEFORE responding to an RFP?
A: That’s what the DoD has indicated, but there isn’t any written documentation to validate. Once CMMC fully takes effect, certification will certainly be required before the contract begins.
Q: Has the government identified where to get certified yet?
A: No assessors are licensed yet, so no. The CMMC Accreditation Body will eventually publish a list of certified third-party assessment organizations (C3PAO) that can perform assessments.
Q: Can you confirm that contractors only need to be CMMC Level 1 to start?
A: That would facilitate a logical progression and advancement to higher levels of security, but no, this is an incorrect assumption. The CMMC Level will be specified in the RFI/RFP. If Controlled Unclassified Information (CUI) is processed under the contract, CMMC Level 2, 3 or above will be specified before the contractor can work the contract. CMMC Level 1 will be the minimum requirement for all of us contractors, as we all process Federal Contract Information (FCI), which requires 17 basic safeguards. But some companies will have an immediate requirement for higher CMMC Levels. This is going to be a challenge for some contractors. The lone exception to CMMC requirements are those purveyors who only provide COTS to the government.
Q: Can we get a copy of Level 1 requirements for CMMC in order to start looking at the starting point?
A: Level 1 CMMC practices are exactly the same as the 17 basic controls currently required by FAR clause 52.204-21 to protect FCI. The definitive source is the CMMC Model site: https://www.acq.osd.mil/cmmc/draft.html. You can download the appendices and view the Level 1 Practices.
Totem is a cybersecurity compliance service organization that offers software that meets the requirements and regulations to be compliant for DFARS, GDPR, and NIST 800 171.
Need something to read? Get your copy of Game Changers the book today!
The concepts and strategies shared in this book are the go-to ninja-style secrets of each author.
You will learn:
★ What it takes to win in the government market
★ How to find the right revenue mix between definitive contracts versus contract vehicles
★ How to properly communicate your past performance
★ How to grow fast in the government market
★ The GovCon small business growth model
★ How to scale your government business
★ Understanding joint ventures
★ What it takes to win SBIR & STTR contracts
★ Winning sole-source contracts
★ Properly leveraging your 8(a) certification
★ Social selling in GovCon
★ Price to win strategies
★ Lean proposal management
★ Contract novation
★ Compensation for unanticipated costs and delays
★ Bouncing back from a losing streak
★ And more than 30 other concepts for growing your government business
|Featured Guest:||Adam Austin||Company:||Cybersecurity Quarterback, Totem Tech|