Welcome to our second post of our blog series, CMMC to the Core! This week we are taking a look at who needs to obtain their CMMC certification and the impact of CMMC on businesses.

Did you know, the DOD estimates that CMMC requirements will affect over 300,000 organizations? Let’s find out if yours is one of them!

Who needs CMMC Certification?

Here are a few simple questions that will help you determine if CMMC is something you need to pay attention to.

1. Is your company a prime contractor for the DOD?
2. Is your company a subcontractor or supplier supporting DoD contracts (fulfillment of services, products, etc.)?
3. Is your company in the defense contract supply chain (meaning, do you provide any products or services to the DOD)?

If you answered YES to one or more of the questions above, then CMMC applies to you!

Now let’s figure out what level of certification is appropriate for your business.

As a recap from our first CMMC post, the DOD recently revised the original CMMC plan from five maturity levels of certification to three, which is now referred to as CMMC 2.0. The purpose behind the revision was to simplify and provide clarity on what is required. The diagram below shows CMMC Model 2.0.

CMMC’s Impact on Your Business

CMMC will significantly affect how DOD contracts are awarded. In fact, some level of CMMC certification will be required for all solicitations issued by DOD, Intelligence Community (IC), and civilian agencies.

The soliciting contracting officer will determine the maturity level required for companies to bid on a given solicitation. This will be done on a case-by-case basis because the level required depends on the sensitivity level and type of information the winning bidder will receive or handle, and therefore, will vary upon request.

As a prime contractor, you need to assess what level of certification you think you will need based on the types of contracts you plan to renew or bid on in the future. That’s worth repeating… your organization will only be able to bid on solicitations with a maturity level that is equal to or less than the level your company holds.

The same goes for subcontractors – you will also need to assess what level of certification you think you will need. Solicitations will dictate the required maturity level for subcontractors and if you don’t meet that maturity level you will not be able to bid. The subcontractor requirement may be equal to or less than the prime contractor requirement (i.e., Level 2 required from the prime contractor and all subcontractors/suppliers, or Level 2 required for the prime only, and Level 1 required for all subcontractors/suppliers).

Prime contractors are responsible for managing the certification status of all suppliers and subcontractors to properly comply with CMMC policy.

Where to Start

To help you get started, stay on track, and move forward; we’ve compiled a list of tips that helped us begin working toward our CMMC certification so that we could make decisions with great confidence.

Here are a few of the top resources that we’ve found helpful along the way:

• Create Google news alerts for “CMMC” to receive a notifications of DOD announcements, analysis, industry discussion, and more

• Sign up for free informational webinars from your trusted market leaders
  • https://landing.exostar.com/en-us/cmmc-prep-webinar
  • https://www.smithers.com/resources/2021/december/webinar-what-is-cmmc-2-0
  • https://cmmcab.org/conversations/

• Keep an eye out for scoping guidance on the CMMC website: https://www.acq.osd.mil/cmmc/about-us.html

• Consider hiring a CMMC readiness consultant; interview and seek proposals from consultants soon so you can budget appropriately!

Be sure to continue to follow Four Inc. on social media and be on the lookout for our next CMMC post which will take a deep dive into why CMMC matters.