In an effort to focus on security and resiliency, the Department of Defense (DoD) is working with various industries to enhance the protection of the following types of unclassified information within the supply chain:

FCI is information provided by or generated for the Government under contract not intended for public release. CUI is information that requires safeguarding of dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies.

Contractors working with FCI or CUI will be required to be certified based on one or more of the five CMMC maturity levels. The levels are as follows:

At a minimum contractors will need to be Level 1 certified. If a contract requires a higher level of certification, the contractor is required to meet that level and all lower levels. The levels build on one another. The level requirement will be specified in Requests for Information (RFI) and Requests for Proposals (RFP) coming from the DoD later this year.

A CMMC timeline has been established with important milestones scheduled in mid to late 2020. These milestones were established prior to the COVID-19 pandemic and may be revised. For now, the guidance we have is:

Until the CMMC Assessor requirements are released, it is not possible to receive a certification. However, due to the timeline contractors are likely not going to have sufficient time to be certified unless preparation begins now. Another important note is self-certification will not be allowed.

Dean Dorton’s IT Audit and Compliance team is working with DoD contractors to evaluate and remediate CMMC compliance so that these contractors are ready for the certification process. The compliance readiness assessments can and will be used to shorten the certification process needed later.

If you have any questions regarding how to prepare for CMMC requirements feel free to contact Kevin W. Cornwell at 502.566.1011 or kcornwell@ddaftech.com or Amy Justice at 859.425.7793 or ajustice@ddaftech.com.