What Subcontractors Need to Know About the CMMC

National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 outlines cybersecurity-related requirements for government contractors and their subcontractors. These requirements protect the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. For government controllers, failure to meet these requirements could result in consequences.

Building on Defense Federal Acquisition Regulation Supplement requirements, the Department of Defense (DoD) is initiating a new standard in 2020 addressing cybersecurity vulnerabilities in the defense industrial base and security in the supply chain. This standard, called the Cybersecurity Maturity Model Certification (CMMC), will replace NIST 800-171 on DoD RFIs and RFPs. The CMMC could have a profound impact on which companies qualify for DoD contracts. BKD will explore what companies should be paying attention to within the CMMC, and how to prepare.

Learning Objectives

Upon completion of this program, participants will be able to:

• Describe cybersecurity maturity and the expected levels of certification
• Discuss the expected process for conducting CMMC assessments
• Describe the approximate timeline DoD has set for developing and implementing the CMMC
• Describe how entities will conduct certification and how the process will be managed
• Identify when subcontractors should expect CMMC incorporated into RFIs and solicitations
• Discuss developments to expect in regulation changes across government and in legislation