Cybersecurity Maturity Model Certification
CMMC is a program developed by the Department of Defense (DoD) to clearly define cyber protection standards for companies in the defense industrial base (DIB). It is meant to enable DIB companies to meet evolving threats and to safeguard information supporting the DoD. The purpose of CMMC is to protect federal contract information (FCI) and controlled unclassified information (CUI) by creating an IT infrastructure standard for all DoD contractors to abide by.
The CMMC program includes certification requirements administered by the CMMC Accreditation Body (CMMC AB). The CMMC-AB is responsible for vetting and certifying individuals and organizations that will have authority to perform assessments, training, and development of training materials within the CMMC framework.
On November 4, 2021, the DoD announced CMMC 2.0. The new version simplifies and streamlines the framework from five levels of certification to three levels. It also now aligns its requirements with the existing NIST 800-171 (for Levels 1 & 2) and 800-172 (for Level 3) guidelines while eliminating unique CMMC 1.0 requirements. Changes in the framework will follow the rulemaking process in accordance with title 32 and title 48 of the Code of Federal Regulations (CFR). The rulemaking process includes both a public comment period and congressional review. The time-period for following the rulemaking process is estimated to require between 9 and 24 months to complete.
CMMC assessment is expected to be a baseline requirement, with plans to be completely rolled out by 2025. Once CMMC standards are finalized and implemented, failure to meet them will impede a contractor’s ability to compete for DoD contracts.
PROCAS and CMMC
At PROCAS, cybersecurity is of the utmost importance. SOC 2 Type 2 audits are performed annually by an independent audit firm. Once the CMMC was announced in late 2019, the PROCAS executive team took the initiative to have our environment evaluated against the published CMMC standards, and to implement enhancements to our policies, procedures and processes to meet CMMC requirements. We expanded the scope of our annual SOC 2 Type 2 audits to expand audit activities to also encompass CMMC requirements.
These standards are continually assessed and updated to meet the needs of CMMC protocol. As a third-party provider of accounting software for government contractors, we believe it is important to hold ourselves to the same standard of cyber security as our clients. We will continue to implement protocols as published by NIST and the DoD, which affect all government contractors in CMMC.