Despite the coronavirus pandemic and its impact, the Department of Defense (DoD) has continued undeterred with its planned implementation of the Cybersecurity Maturity Model Certification (CMMC) program.

Even though the new Cybersecurity Maturity Model Certification (CMMC) meant to only add a verification component to the security requirements in DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) there is one area where it is changing the clause; sub-contractors.

CMMC Marketplace ensures that their cloud services meet FedRAMP qualifications adhering to NIST 800-53 and obtain FedRAMP authorization. While many cloud providers have rolled out their own unique government cloud solution, Microsoft stands out as one of the core services providing FedRAMP compliant environments.

Currently vendors doing work for the DoD need comply with subsection *(m) of DFARS 252.204-7012 which states “Contractor shall include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties”.

The language in the first drafts and presentations of CMMC imply that the standard for flowing down the requirement for being certified to at least level 1 will no longer be dependent on whether the sub-contractor is handling covered defense information. Instead all companies conducting business with the DoD will be required to be certified, including sub-contractors. Under the new CCMC language, which is scheduled to be inserted into RFPs starting next year, the required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts. The result would be the government would bear some if not all the cost to get everyone certified.

With the cost being subsidized the big question will be can small businesses who are sub-contractors on DoD contracts obtain a level 1 certification? Fortunately, the current description of level 1 requirements seems to be a low threshold which can be reached by following rudimentary cybersecurity best practices.

As always, the details are what will be important when CMMC is finally launched but as of now one of the biggest impacts will be the inclusion of a significant number of companies who had previously been exempted from DFARS 252.204-7012.

About CMMC Marketplace:

CMMC Marketplace connects government contractors those are looking to achieve cybersecurity maturity model certification (CMMC) compliance with qualified CMMC service providers.

For more information about CMMC Compliance & DOD Instruction 5200.48 visit our website