Time To Act on Your CMMC Program
The Cybersecurity Maturity Model Certification (CMMC) program recently took an important step forward. The final rule is set to come into effect on December 16, 2024. From there, the CMMC requirement will be extended to all DIB (Defense Industrial Base) contracts, as part of a phased-in approach
Key steps for contractors
The CMMC Program certifies that a contractor is compliant with the set of requirements for protecting the confidentiality of controlled unclassified information (CUI).
CMMC is divided into three levels, depending on the type of information a company handles and the type of work it does: Level 1 allows for an annual self-assessment, and Level 3 organizations will be assessed by government officials, most DIB contractors will fall into Level 2, for which a third-party assessment is required.
Although the rollout period for CMMC contract requirements, is expected to last over 2 years, it’s still not known how the progression will play out. In fact, starting from the effective date, any DIB contract may include CMMC as a requirement. It is therefore critical to act now if your organization wants to continue doing business with the DoD in 2025.
The first step is to complete a gap assessment. “A gap assessment will give you a clear idea of what security gaps need to be fixed and the remediation activities that need to be implemented,” says Rhia Dancel, NSF Information Security, Technical Manager.
Based on the findings of the gap assessment, the second crucial step in your CMMC journey is to secure an assessment date. Although CMMC assessments will be conducted only after the effective date, it is important to secure one as early as possible, to avoid delays and bottlenecks: “There are over 300,000 suppliers in the DIB, but currently less than 60 CMMC Third-Party Assessment Organizations (C3PAO). If there is an influx of organizations that are ready for a CMMC assessment, they may have to wait in line,” says Dancel.
How NSF can help
NSF is an authorized C3PAO with extensive experience in information security and dedicated CMMC professionals.
If you're doing business with the DoD and you don't want to lose your eligibility to bid on contracts or to participate as a subcontractor, you can count on us for:
- Gap assessment
- CMMC assessment
- Expert guidance*
Stay tuned for more details about NSF’s training on Information Security awareness and related CMMC topics.
To request information about the CMMC program and our auditing services, contact Haley Glass, Information Security territory account executive at hglass@nsf.org.
Would you like to learn more about Cybersecurity Maturity Model Certification (CMMC)
*Please note that any suggestions made in this article or guidance provided by our experts do not constitute consulting and following any of these suggestions is not linked in any way to the granting of certification.
How NSF Can Help You
Get in touch to find out how we can help you and your business thrive.