Who Needs to Comply With CMMC?

What is CMMC?

CMMC is a new requirement from the Department of Defense for all of its contractors. The CMMC consists of five levels of maturity, each with its own set of requirements. In order to continue working with the DoD, your company will need to be certified at one of these levels.

What are the levels of CMMC?

There are five levels of CMMC, each with its own set of requirements. The higher the level, the more stringent the requirements.

  • Level 1: Basic Cyber Hygiene
  • Level 2: Intermediate Cyber Hygiene
  • Level 3: Good Cyber Hygiene
  • Level 4: Proactive
  • Level 5: Advanced/Progressive Cyber Hygiene

Why is CMMC necessary?

The CMMC is necessary in order to protect the sensitive information that the DoD shares with its contractors. This information includes everything from weapon system designs to personal data of service members. By requiring all contractors to implement the CMMC, the DoD can ensure that this sensitive information is protected.

So who needs to comply with CMMC?

Any company that stores, processes, or transmits Controlled Unclassified Information (CUI) for the DoD will need to be certified. This includes companies that provide products and services to the DoD, as well as companies that contract with other businesses that provide products and services to the DoD. In other words, if your company is involved in any way with supplying goods or services to the Department of Defense, you will need to be CMMC certified.

What are the benefits of CMMC certification?

There are many benefits to becoming CMMC certified, including:

  • Increased security of CUI
  • Greater trust from customers
  • Improved competitiveness for bids
  • Ability to work with a wider range of companies
  • Potential for increased revenue
  • Improved employee morale

How can my company become CMMC certified?

The first step is to contact a Registered Provider Organization (RPO) that is authorized to provide CMMC assessments. RPOs are organizations that have been approved by the CMMC Accreditation Body (CMMC-AB) to provide third-party assessments of a company’s compliance with the CMMC model. There are currently over 60 RPOs registered with the CMMC-AB, so you should be able to find one that is a good fit for your company.

The second step is to choose which maturity level you need to be certified at. There are five maturity levels, ranging from basic cyber hygiene practices to advanced and progressive capabilities. The level that you need to be certified at will depend on the type of CUI that your company handles.

Once you have selected an RPO and a maturity level, you can begin the assessment process. The assessment will consist of a review of your company’s systems and processes, as well as on-site interviews with employees. Once the assessment is complete, you will be issued a certificate that indicates your company’s compliance level.

What are the penalties for not being CMMC certified?

If your company is found to be handling CUI without the appropriate level of security, you may be subject to civil or criminal penalties. In addition, your company may be suspended or debarred from doing business with the DoD. This could have a devastating effect on your business, so it is important to make sure that you are compliant with the CMMC requirements.

The CMMC certification process can seem daunting, but it is important to remember that the benefits of becoming certified far outweigh the costs. By taking the time to become CMMC certified, you will be ensuring that your company is able to continue doing business with the Department of Defense and other companies that handle CUI.