CMMC Certification Guide

Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy.

Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… Until now.

The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).

The DOD will shortly finalize this new standard, which will go into effect mid-2020.

Since the standard hasn’t even been finalized, it would be presumptuous for us to call ourselves CMMC “experts.” We are, however, experts at developing and managing information security and privacy management systems that comply with government and industry regulations. We have also helped organizations ranging from $500K to $3B comply with DFARS clause 252.204-7012and NIST SP 800-171 which cover 110 of the 131 controls required for CMMC Level 3 certification. So, while CMMC is a new certification scheme — the process of preparing for CMMC certification isn’t.

The Stakes are High… Make Sure You Have the Chips to Stay in the Game

Beginning in mid-2020, CMMC certification will be an absolute requirement to bid on DOD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DOD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.

CMMC Compliance Can Make You Stronger

We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.