If you are involved in federal government contracting or looking at becoming a federal government contractor you may have heard the term CMMC thrown around. In this article, we will tell you exactly what it is and why this is important in the federal government contracting industry. Lastly, we will tell you the steps needed to get CMMC certified. To learn more about CMMC make sure to get in contact with us. Email us via info@aspis.consulting  or give us a call at (816) 533-5509. 

What Is It? 

The Cybersecurity Maturity Model Certification (CMMC) was recently created as part of the Defense Federal Acquisition Regulation Supplement (DFARS). This certification is a comprehensive move by the DoD that will take place over the next five years. The CMMC will then be fully rolled out in 2026.  

Why Is This Important 

Businesses that currently accept federal contracts will need to receive CMMC in order to accept contracts in the future. It is recommended that businesses start implementing changes to comply with the CMMC as soon as possible. This allows government contractors time to be ready for the imminent changes to your eligibility coming in 2026. Agencies that are enforcing CMMC include the DoD, USDA, and other government agencies.   

Steps to Take: The Interim Rule 

Even though the new CMMC requirements won’t be rolled out until 2026, there are still steps that you can take right now. The interim rule is one such step. This states that all DoD contractors and members of the Defense Industrial Base (DIB) supply chain must perform a self-assessment. This is a basic self-assessment that will go over your current cybersecurity efficacy. The self-assessment evaluates the implementation of the 110 cybersecurity controls mentioned in the NIST (SP) 800-171. Here are some important things to remember about the self-assessment:  

• If you receive less than 110 points, you must generate a Plan of Action and Milestones (POA&M) document. This POA&M document is used to explain how the deficiencies will be addressed and the failing items will be remediated. update your scores and when the loopholes are addressed and remediated.   

• As a contractor, you must also develop and submit a System Security Plan (SSP) with thorough details of implemented NIST (SP) 800-171 controls. This includes operational procedures, organizational policies, and technical components.   
• Upon concluding the self-assessment, you must submit the results to the government’s Supplier Performance Risk System (SPRS) database within 30 days.   

After the Self-Assessment: 

Beyond the self-assessment, there are some other steps you can take to prepare your business. Check out these tips:  

• Establish a Systems Security Plan (SSP):  Building an SSP will help you map your network and information assets (hardware and software) and will mark the beginning of you knowing how many controls (out of the 110) your business has implemented so far.   
• Assess how you deal with Controlled Unclassified Information (CUI): Ask yourself questions on how your business manages CUI — who accesses it, where CUI lives, how it is shared, etc.   
• Conduct a DoD self-assessment:  You can utilize a tool to conduct a self-assessment and obtain a score as per the NIST (SP) 800-171 Assessment Methodology.   
• Build a POA&M Document:  In this document, list all the steps you will take to mitigate the deficiencies that prevented you from getting a perfect score of 110 (along with estimated completion time).   
• Upload the self-assessment score:  Don’t forget to upload the results to the  SPRS database within 30 days of conducting the self-assessment, along with SSP and POA&M.   

• Document everything: This step is non-negotiable. Ensure you document every important aspect of your journey — from preparation to self-assessment, to remediation.   

We know this is a lot to take in however here at Aspis we are always available to help.  Whether you’re here with us in Kansas City, Duluth, or in Washington D.C., our services are just a message away. If you would like to contact follow us on LinkedIn, Facebook, and Instagram.  Check out our other cybersecurity consulting blogs by visititing our website!