How will the US DoD regulations and requirements as part of the new CMMC affect your business?

Thursday, February 4th, 2021

If your organisation is one of the 300,000 currently doing business with the U.S. Department of Defense (DoD), then you may be affected by regulatory requirements being brought in this year as part of the new Cyber Maturity Model Certification (CMMC). Designed to allow for better assessment and pragmatic improvements to the cybersecurity posture of the US Defense Industrial Base (DIB), CMMC unifies existing legislation into a new set of cybersecurity best practices, mapping these best practices and processes to five Maturity Levels ranging from basic cybersecurity hygiene (ML1) to advanced cybersecurity practices (ML5).  

Given the range and scope of the services being delivered by the DIB sector, the CMMC framework is designed to support suppliers with varying requirements for cyber hygiene, which will depend on the types of data they store and process as part of their contract. Each of the five Maturity Levels is cumulative, with the level of compliance being defined through each procurement. Notably the primary contractor will now have to flow the relevant level of compliance with procedures and capabilities down to any sub-contractors that its organisation involves in fulfilling DoD contracts, although they may be able to certify at a lower level depending on their role in the contract.  

Whereas in the past organisations could self-assess their compliance with the DoD’s cybersecurity requirements, going forward in order to close perceived gaps in assurance and ensure mandatory standards of compliance are maintained across the entire DIB, the assessment must now be completed by an independent Third-Party Assessor Organisation (3PAO). With around 15 procurement programs being switched as of mid-2021, many businesses are expected to be affected by the changes and will need to be certified or risk losing the ability to bid for DoD contracts. 

With the CMMC Accreditation Body recommending six months to prepare for certification, companies should look to get on the front foot now by reviewing CMMC requirements, identifying their desired Maturity Level to bid on contracts, assessing existing cybersecurity practices and running a gap analysis assessment. This proactive approach will provide for a smoother transition to the new operating model and mean that companies can accredit quickly and avoid exposure to contract risk.  

CBG has introduced a pre-certification Readiness Assessment that covers all the above steps to highlight any areas of compliance risk. Our specialist Consultants can further support your organisation to remediate identified gaps and implement the practices and processes necessary to align your security controls and policies with the CMMC framework required for your designated Maturity Level.

For more details on the service, and how CMMC could affect your business, please contact us at or call +44 (0) 1223 843903

by Dom Wordsworth, Solution Director 

Find out more about our services:

Cyber Services 
Market Development Services
People Services

Related Articles: