United States:
CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity
To print this article, all you need is to be registered or login on Mondaq.com.
Cybersecurity Maturity
Model Certification (“CMMC”) v.1.0, after releasing
several draft versions of the document over the past year. In an
effort to enhance supply chain security, the CMMC sets forth
unified cybersecurity standards that DOD contractors and suppliers
(at all tiers, regardless of size or function) must meet to
participate in future DOD acquisitions. Through the CMMC, DOD adds
cybersecurity as a foundational element to the current DOD
acquisition criteria of cost, schedule, and performance. We have
previously discussed CMMC on our Government Contracts
& Investigations Blog.
CMMC Maturity Levels
The CMMC includes five levels of certification, with five being
the highest or most secure. This table provides a snapshot of the
focus areas, number of practices, and requirements at each
level:
Timeline
The DOD has expressed its commitment to a “crawl, walk,
run” approach to implementing the CMMC. So, although CMMC
v.1.0 was released last month, there will be a five-year rollout
period, with all new DOD contracts containing the CMMC requirement
beginning in FY 2026, but some could start requiring it as soon as
this summer.
Putting it Into Practice: Any company that does business
with the DOD will need to comply with CMMC. Companies should review
current CMMC materials, track new releases, and aim to comply with
the requirements in preparation for a third-party audit as soon as
possible.
*Nikole Snyder is a law clerk in Sheppard Mullin’s
Washington, D.C. office.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States
