PilieroMazza previously blogged at length regarding the draft releases of the Cybersecurity Maturity Model Certification (CMMC) guidelines in anticipation of its final release. The Department of Defense (DOD) released the final version of the CMMC guidelines on January 31, 2020. For government contractors, the release signals the start of their preparation, in earnest, for CMMC certification to improve their chances of doing business with the DOD. IT system audits are set to begin in mid 2020, and DOD plans to require certification in Requests for Proposals by late 2020.
The final version of the CMMC includes:
1. an introduction to and overview of the CMMC, with a brief explanation of the five certification levels;
2. the framework against which contractors will be measured;
3. how firms will need to update their internal IT, employee, and DOD business capture practices and procedures;
4. what contractors should be doing in their contracts with up-stream and down-stream partners; and
5. discussion and clarification for all practices within all levels of the CMMC, which provide real-world examples for implementing CMMC guidelines.
DOD did not release a list of third-party certifiers, so contractors will not be able to pursue certification yet.
Members of PilieroMazza’s Cybersecurity & Data Privacy Team will continue to write and speak about the CMMC throughout its implementation phase. In this regard, members of the Team—Jon Williams and Anna Wright—will present a webinar on Tuesday, March 17, 2020 at 2:00 PM ET concerning the CMMC guidelines. Please visit this link to register.