DoD Warns: Don't be fooled by CMMC Certification Services
More than 300,000 DoD contractors and subcontractors make up the Defense Industrial Base, each scrambling to understand and implement CMMC certification initiatives. The process and timing makes them a valuable target for unscrupulous service providers. Find out why achieving CMMC compliance is out of reach today but what you can do now to prepare.
Defense contractors and the Department of Defense (DoD) have reported a notable increase in fraudulent, confusing, and misleading solicitations from service providers offering CMMC certification. These businesses seek to take advantage of proactive defense contractors who prioritize achieving CMMC compliance and will attempt to collect payment for services they are not equipped to provide.
How do we know these are false? Because there are no auditors for CMMC, yet. DoD Under Secretary Ellen Lord publicly spoke out against companies claiming to provide CMMC certification to contractors:
"Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD... so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department."
How will DoD offer CMMC certification?
The DoD itself will not be certifying companies for CMMC. Instead, the 13-member CMMC Accreditation Board (CMMC-AB) has been formed, including professionals from defense companies and leaders within the cybersecurity and academic communities. This accreditation board is responsible for establishing and certifying a group of CMMC third-party assessment organizations called C3PAOs and has released program details for the C3PAOs who will conduct the assessments. However, defense companies can’t wait to begin CMMC certification efforts and need to take every step leading up to the point of their CMMC certification audit.
What can DoD contractors do to prepare for CMMC compliance now?
Begin preparing for a CMMC Certification today
Defense companies should start by reviewing the cyber hygiene requirements needed for their desired compliance level and noting critical dates on the CMMC timeline:
- January 2020: DoD introduced CMMC Version 1.0
- June 2020: CMMC-AB opens registration for C3PAOs and third-party assessors and released program requirements
- July 2020: DoD to create and publish a CMMC training
- Summer 2020: DoD to undergo rulemaking to implement the CMMC into the DFARS regulation
- September 2020: DoD to incorporate CMMC requirements in Requests for Proposals (RFPs)
- Fall 2020: C3PAO training criteria to be published
- Winter 2020-2021: C3PAO certified training
- Winter/Spring 2021: Ecosystem Go-live
- FY 2021 – 2026: Phased rollout implementation of the CMMC
- FY 2026: CMMC certification required for all companies doing business with the DoD
While CMMC compliance cannot be reached until C3PAOs and independent assessors are certified, the DoD is already planning to require CMMC certification for RFPs by the end of the year.
If you are a defense company, you should be planning, drafting policies, deploying relevant solutions, and instituting company-wide policy changes now.
- The roadmap to CMMC Maturity Level 3 starts with compliance to NIST 800-171.
- Identify which CMMC compliance level you need to reach, perform a gap analysis, and remediate what gaps you can now.
- Draft a budget for CMMC compliance. It should include costs for planning, updating policies, enhancing security solutions, updating deploying solutions, and more.
- Build a Plan of Action & Milestones (POA&M) to ensure continual compliance with NIST 800-171 and existing contracts, establish timelines, in addition to resource requirements
Make no mistake, claims from companies promoting services that get your organization to CMMC certification today are 100% false. While CMMC compliance cannot be reached until C3PAOs and independent assessors are certified, you can stay up to date on the latest CMMC developments by regularly visiting the DoD's website for updates or contact a defense cybersecurity IT firm like eTrepid for an initial readiness assessment.
Avoid Scams by contacting us to receive an educational consultation regarding your Gap Analysis and determine where your focus should, or join in on an upcoming webinar reviewing Compliance and CMMC Unmasked.