The Cybersecurity Maturity Model Certification (CMMC) program is the Department’s program to assist Industry to meet adequate security requirements of 32 CFR Part 2002, DFARS 252.204-7012, and DoDI 5200.48 in the implementation of National Institute of Standards and Technology (NIST) SP 800-171.
The program is aligned to the Department’s information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors by providing increased assurance that industry is meeting the cybersecurity requirements that apply to acquisition programs and systems that process CUI.
The Department intends to allow companies to receive contract awards with a limited time Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification. It will be implemented through the acquisition and contracting process with limited exceptions, and the Department intends to require compliance with CMMC as a condition of contract award.
Companies may be allowed to receive contract awards with a limited time Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a specified CMMC level.
The Department does not intend to approve the inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. CMMC 2.0 will become a contract requirement once rulemaking is completed. It is recommended that industry become familiar with CMMC certification levels and NIST SP 800-171.
See the CMMC webpage here: https://dodcio.defense.gov/CMMC/