Cybersecurity Maturity Model Certification Goes into Effect

ACEC News / Advocacy

December 2, 2020

Cybersecurity Maturity Model Certification Goes into Effect

The Interim Final Rule for the Cybersecurity Maturity Model Certification (CMMC) went into effect this week.

CMMC is the five-tiered cybersecurity standard that all defense contractors will need to get assessed against. It carries a range of security controls designed to keep controlled unclassified information safe from digital theft.

DoD has said that they do not intend to issue fines for non-compliance. Rather, firms that cannot affirm their CMMC compliance will not be able to compete for contracts. ACEC recommends that firms speak with their USACE, NAVFAC, and AFCEC clients to assess when CMMC may begin to appear in infrastructure-related solicitations.

Beginning in 2025 all contracts will require CMMC certification, and DoD has affirmed that a select number of “pathfinder” solicitations will soon include CMMC requirements. The pathfinder solicitations will likely require various CMMC levels, including one or two that are expected to require CMMC level 4 or 5 certifications.

An independent Accreditation Body (AB) will accredit the assessors who will inspect the networks of federal contractors and oversee the training and consulting landscape by licensing teaching organizations and consultants for CMMC-specific training.

ACEC recommends that engineering firms familiarize themselves with the requirements of the standards and the Marketplace within the Accreditation Body, where the CMMC Third-Party Assessor Organization (C3PAO) can be found. Only members of the C3PAO are authorized to perform assessments on firms.

For further information, click here and here.

All comments to blog posts will be moderated by ACEC staff.