Pratum Blog

Man at computer having conversation

With its new Cybersecurity Maturity Model Certification (CMMC) standard, the Department of Defense is getting serious about protecting the supply chain that protects the nation. The CMMC’s enhanced security requirements will require an estimated 300,000 companies to earn third-party certification of their security posture. By 2025, every DoD contract will require vendors to meet some level of CMMC compliance. And true to its governmental nature, CMMC presents a dizzying labyrinth of acronyms, levels and due dates.

To help companies understand how CMMC affects them, we talked with Pratum Senior Information Security Consultant Ben Hall, who recently completed coursework to be a Registered Practitioner with the CMMC Accreditation Body (CMMC-AB). That makes him one of the nation’s first wave of private contractors trained to help companies prepare for their CMMC audits. We asked Ben for some real-world advice on how to implement CMMC efficiently.

CMMC Registered Practitioner Logo

This is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract.

Ben Hall Pratum CMMC Registered Pratitioner

Answers to CMMC Certification Questions


Q:

Tell me in 30 seconds what I need to know about CMMC.

A:

If you produce something in a supply chain that ends with a product delivered to the DoD, you’ll probably need to get CMMC-certified at some point in the next four years. And you can’t just declare yourself secure. It’s a significant process that ends in assessment by a certified third party. If you don’t do this, any company that ultimately serves the DoD will have to stop using you as a vendor. For more details, I recommend taking a couple of minutes to read the FAQs Pratum recently posted. This roadmap provided by the CMMC-AB also offers a great, quick summary.


Q:

If I’m not a prime contractor to the DoD, do I still need to worry about this?

A:

Probably. Prime contractors must ensure their subcontractors are certified at the required CMMC level prior to awarding subcontracts. The only exceptions are companies that solely provide commercial off-the-shelf products (COTS, as the government calls it). Items meet the COTS criteria if they are mass-produced, rather than customized for government use. But to be honest, if you’re unwilling to take the security steps required to meet even Level 1 of CMMC, many larger companies won’t feel safe doing business with you anyway.


Q:

What does it mean that you just became a Registered Practitioner for CMMC?

A:

I’m trained to help organizations prepare for the CMMC certification process, which is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract. During my coursework administrated by the CMMC-AB, I learned all the details of how CMMC works. So I can help companies understand exactly which level they’ll need to reach, identify where they’re currently falling short of the requirements and make a plan to get everything ready in time.


Q:

Can you personally certify a company as CMMC-compliant?

A:

CMMC rules require that you have two different people handle the prep process and the actual assessment. The CMMC-AB’s official assessors are known as Certified Assessors (CA) that work for Certified Third-Party Assessing Organizations (C3PAOs). One person can be both a Registered Practitioner (who handles the prep process) and a Certified Assessor (who does the assessment). But I’ll be focusing on preparing clients for review by a Certified Assessor.


Q:

So just to be clear: I can’t do a self-assessment anymore?

A:

Correct. That’s actually one of the driving forces behind CMMC. Under the DoD’s Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, companies could do a self-attestation of their security posture and submit their score. CMMC requires you to get a third-party evaluation.


Q:

Is something like this going to be applied to government contracts beyond the DoD?

A:

Probably. Most industry watchers expect CMMC or something very similar to it to become the standard for all federal procurement.


Q:

How long will I have to make changes if I barely miss the grade on my assessment?

A:

Unfortunately, you don’t get a grace period. This is a pass/fail situation. If the DoD puts a required CMMC level in a contract, it will only award the contract to a vendor who has that certification done at the time the contract is awarded. While many previous government standards allowed you to fix shortcomings through a Plan of Actions and Milestones (POAM), CMMC doesn’t allow for POAMs.


Q:

Got it: I need to plan ahead. How soon do I need to worry about this showing up in RFPs and contracts?

A:

A handful of prime contracts have already been issued with CMMC requirements. The DoD will continue to gradually require CMMC compliance in a rollout stretching from 2021 to 2026. Right now, it looks like about 15 new prime contracts will include CMMC in 2021.


Q:

Where should I start my preparation?

A:

Based on the kind of information you use in the course of doing business, you should be able to determine which of the five CMMC levels you’ll need to achieve. Then you can review the requirements for your level and start figuring out what you’ll need to do to achieve certification.

CMMC Levels

Q:

Can I get the government to help pay for any of this new process?

A:

The DoD has laid the groundwork for grants that will help small and medium-size businesses pay some of the CMMC costs. The National Defense Authorization Act for 2021 includes a section authorizing the secretary of defense to allocate funds to the MEP Centers mentioned below so they can help business get their certifications. Talk with the MEP Center in your state to get the details on what’s available and how you can apply.

Advisors at your local PTAC (see below) can also help you determine how much of your CMMC process you might be able to build into contracts as an allowed expense.


Q:

Where can I get help with all this?

A:

That's what I'm here to do! A cybersecurity consultant like Pratum will help with a gap analysis and a plan to get you ready in time for the contracts that apply to you. Check out our CMMC consulting page or get in touch with us.

You also can get advice from governmental bodies tasked with helping manufacturers and other companies navigate the government procurement process. Each state has a Manufacturing Extension Partnership Center that can help you with CMMC. You can look up yours at https://www.nist.gov/mep/centers. You can also work with one of about 300 Procurement Technical Assistance Centers nationwide. You can find a nearby PTAC at https://www.aptac-us.org/.


Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.