When should I become DoD CMMC-compliant?

When should I become DoD CMMC-compliant?

Last year, the US Department of Defense (DoD) announced a new rule requiring defense contractors to become fully compliant with the Cybersecurity Maturity Model Certification (CMMC) process starting in late 2020. The new security standard aims to further secure the supply chain, especially given the relatively slow adoption rate of the Defense Federal Acquisition Regulation Supplement (DFARS), introduced five years earlier. The new regulation aims to ensure that suitable levels of protection are put in place to protect controlled unclassified information (CUI) stored and transmitted from DoD contractor systems.

What is the DoD CMMC model?

The CMMC is a unified standard which applies to cybersecurity across the entire US defense industrial base (DIB). This includes more than 300,000 companies in the supply chain. It’s the DoD’s response to a rising number of compromises and data leaks occurring on contractors’ IT systems in recent years. The first version was published on January 31, 2020. Compliance will be mandatory in September 2020.  


Further reading: A Guide to CMMC 1.0: What Companies Should Know


The CMMC defines five levels of cybersecurity maturity ranging from basic security hygiene at level one to advanced security operations at level five. The CMMC levels are cumulative, which means organizations wanting to achieve a specific CMMC level will need to demonstrate compliance in the previous levels as well.

There’s a total of 17 domains, most of which originate from the security sections of the Federal Information Processing Standards (FIPS) publication. The domains include things like access control, asset management, and risk management. Each domain is further broken down into a set of processes and capabilities spanning across the five CMMC levels. There are 43 capabilities in total. Finally, the model consists of 171 practices spanning across the five levels for each of the capabilities and domains.

Who should become DoD CMMC-compliant?

The DoD and its supply chains are top targets for state-sponsored attackers, cyberespionage, and other threat actors. Yet only a small percentage of defense contractors have implemented all the security controls defined by the NIST. Given the rapid evolution of technology and the new cyberthreats that come with it, the DoD needs to reach the scale whereby the majority of its supply chain is well protected against attacks.

From September 2020, all DoD contractors will need the appropriate certification level to bid on Requests for Proposal. Level one is the minimum requirement for any defense contractor, but many RFPs require a higher level depending on the degree of sensitivity of the information it involves. Moreover, a potential contractor must meet all the requirements of any previous levels. Failing to meet even just one of the CMMC requirements from a previous level will bring the certification down to the level below it.

For many organizations, contracts with the DoD make up a significant part of their revenue. Since CMMC compliance will soon be a requirement for any new contracts with the DoD, it’s essential to achieve compliance as soon as possible to continue doing business in the sector. Compliance is also worthwhile for organizations that don’t currently work for the DoD since it can open up new business opportunities in the future. It’s also worth noting that DoD CMMC is one of the most comprehensive cybersecurity compliance regimes currently in place, so it’s a great way to establish an organization’s authority in cybersecurity.

How to become DoD CMMC-compliant

Certification preparations should start as soon as possible. The sooner an organization begins preparation, the more efficiently they can assess the gaps in their current cybersecurity hygiene. Contractors should start by pinpointing their cybersecurity gaps and taking the necessary steps to fill those gaps with the necessary cybersecurity solutions.

Once your organization has implemented the DoD CMMC requirements, you should be ready to acquire an official certification to validate your efforts to achieve a sufficiently high degree of cybersecurity maturity and open up additional opportunities to work within the DoD supply chain. However, self-certification is no longer an option for CMMC, unlike it was for DFARS. DoD CMMC certification can only be awarded upon a positive review by an accredited third-party auditor.

The easiest way to prepare for a CMMC audit is to work with a CMMC consultant, especially if you don’t have access to the necessary in-house expertise. For many contractors, it makes more sense to outsource the task, since it costs less, saves time, and ensures the necessary requirements have been met before an official audit.

Advice from your Charles IT experts

DoD contractors shouldn’t view CMMC compliance as something that’s complete the moment they’ve passed an audit. Instead, it should be approached as a starting point for iteratively improving your organization’s cybersecurity posture. Building a security-first company culture will add value throughout the business and open the doors to innovation. Becoming certified and working your way up through the levels will ensure you’re better positioned to compete in a highly lucrative market.

With many years of experience offering cybersecurity and compliance services, Charles IT can help ensure that your business is fully compliant with CMMC, DFARS and NIST regulations. Call us today to schedule your gap assessment!

New call-to-action

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”