This cybersecurity assessment will be a baseline requirement for all future contracts, starting to be phased in contract language in late 2021, with plans to be completely rolled out by 2025. Again, this will affect all federal contractors, and failure to complete a CMMC assessment could impede a contractor’s ability to compete on future contracts, which can disrupt dependable revenue streams.
At PROCAS, cybersecurity is of the utmost importance. SOC 2 Type 2 audits are performed annually, by a well-known, independent audit firm, SC&H Group. Once the CMMC was announced in late 2019, we took it upon ourselves to include the published standards in our SOC 2 Type 2 audits. These standards are continually assessed and updated to meet the needs of CMMC protocol.
As a third-party provider of accounting software for government contractors, we feel it is important to hold ourselves to the same standard of cyber security as our clients. We will continue to implement protocols as published by NIST and the DoD, which affect all government contractors in CMMC.
The Department of Defense (DoD) estimates that at least 350,000 U.S. businesses in the Defense Industrial Base (DIB) contract with the federal government. All of these businesses will need to prove their cyber hygiene practices via CMMC audits, which are performed by approved, independent firms. These firms, referred to as Certified Third-Party Authorities (or C3PAOs) have the capabilities to review contractor infrastructure practices and complete CMMC certification.
However, the level of cyber hygiene to be achieved by each company depends on the work performed. Simple contracts with little to no classified information may only require a Level 1 certification for “Basic Cyber Hygiene” whereas a more complicated contract may require Levels 3 or 5 for “Advanced, Proactive & Optimized Practices.” We’d recommend speaking to a C3PAO to determine which level of CMMC is appropriate for your industry.