Announcing XQ’s CMMC Series

Malicious cyber actors are increasingly targeting the Defense Industrial Base (DIB) sector and the Department of Defense (DoD) supply chain. By exploiting vulnerabilities in cyber security, bad actors can steal valuable intellectual property and sensitive information, undercutting technical advantages, impairing innovation, and increasing risks to national security. The Cybersecurity Maturity Model Certification (CMMC) is a product of the Department of Defense’s (DoD’s) need to protect American interests against this growing threat.

CMMC improves, standardizes, and verifies cyber hygiene practices across the DIB. It outlines the required cyber security measures DIB members must take to protect non-classified, sensitive information across three maturity levels. Each level prescribes security practices commensurate with the sensitivity and risk of a specific category of information or data. 

To be eligible for DoD contracts under CMMC, organizations must assess their security practices and achieve certification corresponding to the sensitivity level of desired contracts. This process helps verify a contractor can adequately protect information for a specific risk and sensitivity level. 

When CMMC was initially introduced in 2019, the model was criticized widely. Many felt it was too complex, rigid, and expensive to implement effectively. Its requirements threatened the survival of small contractors. 

In response, the DoD overhauled the program. In 2021 they released a second iteration, CMMC 2.0. CMMC 2.0 has fewer maturity levels, corresponds to existing security standards, and, most importantly, allows contractors handling data of the lowest sensitivity level (FCI) to self-certify rather than requiring third-party assessments.

CMMC 2.0 is currently being codified via the federal rule-making process. The DoD aims to publish a Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule in March 2023, codifying CMMC 2.0 into law. Sixty days after its release, CMMC 2.0 requirements will begin appearing in DoD contracts. Thus, by May 2023, we can expect new DoD contracts to contain CMMC clauses. Only CMMC-certified contractors will be eligible to bid or seek renewal on contracts from this point on.

Despite improvements, CMMC remains an obstacle for many DIB members. It is still complex, challenging, and can take six or more months to complete! Many small businesses are concerned about costs, timelines, and implementation requirements. 

At XQ, we recognize that cybersecurity and compliance challenges like CMMC can be overwhelming. We want to help. With our provisional C3PAO partner, Captiva Solutions, we’ve developed a blog series to educate, inform, and support small and midsize businesses through the transition to CMMC 2.0. The series will outline the must-knows of CMMC in plain, easy-to-understand language and walk you through achieving CMMC compliance step by step. Consider subscribing for early access to CMMC resources, updates, and reminders. 

Check back Wednesday for our next blog, CMMC 101. It will cover common questions about CMMC 2.0. Have something you’d like us to cover? Submit suggestions, questions, and comments here, or book a meeting to chat with us. We’d love to hear from you!