CMMC Compliance | PROCAS

What is CMMC?

The Cybersecurity Maturity Model Certification or CMMC is a mandatory Department of Defense (DoD) initiative which requires all businesses who contract with the federal government to undergo a cybersecurity assessment and certification as per NIST 800-171. The purpose of this mandate is to protect federal contract information (FCI) and controlled unclassified information (CUI) by creating an IT infrastructure standard for all federal contractors to abide by.

This cybersecurity assessment will be a baseline requirement for all future contracts, starting to be phased in contract language in late 2021, with plans to be completely rolled out by 2025. Again, this will affect all federal contractors, and failure to complete a CMMC assessment could impede a contractor’s ability to compete on future contracts, which can disrupt dependable revenue streams.

Does PROCAS address CMMC requirements?

At PROCAS, cybersecurity is of the utmost importance. SOC 2 Type 2 audits are performed annually, by a well-known, independent audit firm, SC&H Group. Once the CMMC was announced in late 2019, we took it upon ourselves to include the published standards in our SOC 2 Type 2 audits. These standards are continually assessed and updated to meet the needs of CMMC protocol.

As a third-party provider of accounting software for government contractors, we feel it is important to hold ourselves to the same standard of cyber security as our clients. We will continue to implement protocols as published by NIST and the DoD, which affect all government contractors in CMMC.

How will CMMC assessments be performed?

The Department of Defense (DoD) estimates that at least 350,000 U.S. businesses in the Defense Industrial Base (DIB) contract with the federal government. All of these businesses will need to prove their cyber hygiene practices via CMMC audits, which are performed by approved, independent firms. These firms, referred to as Certified Third-Party Authorities (or C3PAOs) have the capabilities to review contractor infrastructure practices and complete CMMC certification.

However, the level of cyber hygiene to be achieved by each company depends on the work performed. Simple contracts with little to no classified information may only require a Level 1 certification for “Basic Cyber Hygiene” whereas a more complicated contract may require Levels 3 or 5 for “Advanced, Proactive & Optimized Practices.” We’d recommend speaking to a C3PAO to determine which level of CMMC is appropriate for your industry.

For additional information provided by our partners at Edwards Performance Solutions, visit our blog post, CMMC Fitness - 12 Months to Get Your OSC in Shape.