Contracting with the Department of Defense is a great opportunity to grow your manufacturing business. However, before landing your first contract with the DoD, you’ll need to meet a slew of regulatory compliance requirements. For manufacturing firms new to the game and with no expertise in this area of business, these requirements pose a real challenge. While manufacturing firms who have experience working with the DoD have some advantage, failing to keep up with recent changes can still prove disastrous--in some cases even result in them losing their contracts.
The Cybersecurity Maturity Model Certification (CMMC) is a regulatory process which has been in full effect since 2020, with CMMC 2.0 recently being published and rolled out. This regulation is created to supplement the DFARS and NIST 800-171 regulations for the careful handling of controlled unclassified information (CUI).
The CMMC 2.0 will fully replace self-certification in determining which DoD contract bidders are compliant with the standards set by the NIST 800-171. The process will require companies contracting with the DoD to coordinate with an independent accredited third-party auditor to acquire this certification.
The CMMC 2.0 cybersecurity requirements are a new set of strict audits designed to make sure all manufacturers and suppliers who sell to the DoD meet minimum cybersecurity requirements.
Any business that contracts with the DoD, or subcontracts with a business that sells to the DoD, will need to be CMMC 2.0 certified.
It’s important to note that CMMC 2.0 requirements don’t replace DFARS regulations. In fact, every DoD contractor that deals with CUI still runs the risk of losing their contracts if they do not comply with the minimum security requirements of DFARS.
The CMMC 2.0 requirements can be seen as a supplement to DFARS regulation, where an independent third-party audit by a certified auditor will now be required. Controls laid out in the NIST SP 800-171 guidelines, as well as new additional controls, will be evaluated along with the company’s institutional capacity to follow cybersecurity best practices.
CMMC 2.0 certification requires your company to pass an audit from a third-party auditor, accredited by the CMMC 2.0 accreditation board. Delays in passing the certification may hamper your business’s ability to work with the DoD -- and given that this is a new process, it’s possible there might be a backlog of audits when it starts.
To ensure that you’re fully prepared for your CMMC 2.0 audit, you’ll need to conduct a gap analysis and assessment of your current cybersecurity practices. Whether you’re looking to conduct this analysis in-house or with the help of a third party, you will first need to identify which certification level you’ll be required to acquire for the type of contract you’re bidding for.
There are three levels of CMMC 2.0 certification. This will require reviews of current cybersecurity controls, a gap analysis, and stringent adherence to the matching NIST SP 800-171 requirements.
For more information on CMMC certification levels and which certification level your company needs to acquire, check out this article.
In order to get certified, you have to pass a CMMC 2.0 audit for the specific certification level you’re trying to reach (and all levels that precede that). This audit will be conducted by a CMMC 2.0 Third Party Assessment Organization (C3PAOs). There will also be a CMMC 2.0 marketplace that will allow organizations access to a list of approved C3PAOs.
Once the C3PAOs are determined, you will need to engage with one to conduct an audit of your cybersecurity maturity. Once you pass, the DoD will have access to your certification level and will be able to determine whether or not you’re qualified for a specific contract. A CMMC 2.0 certificate will be valid, in general, for three years.
Appointing someone from your organization to be your designated CMMC leader would be a smart move. Your appointed CMMC leader will then be responsible for keeping up with updates, scrutinizing each area of your cybersecurity hygiene, and identifying your company’s preparedness for an audit. Needless to say, that person will also need to be fully equipped with everything there is to know about the CMMC 2.0 requirements, so make sure that they read our guide to CMMC compliance requirements.
If you’re unsure whether a current employee has all the necessary expertise required to get your company certified, you can instead consult with a trusted expert on DFARS regulations, like Charles IT. Since NIST SP 800-171 requirements make up a large part of the CMMC 2.0 certification process, it makes sense to work with a trusted provider who has extensive experience with DFARS compliance.
Whether you choose to take on this challenge in-house or elect the assistance of expert consultants, you will need to do the following in order to increase your chances of successfully meeting your CMMC 2.0 requirements:
Your company’s ability to conduct business with the DoD is on the line if you don't pass your audit. You need to get that certification on your first CMMC 2.0 audit so that you don’t lose any critical time and revenue preparing for and conducting reassessments. Make sure that you do everything right the first time. Start with a gap assessment.
Editor's Note: This blog was originally published on July 31, 2020. It was edited for accuracy on August 1, 2023.