The Department of Defense has announced that 15 pathfinder CMMC contracts will be awarded in the 2021 fiscal year. Seven pilot nominations for those contracts include:
- U.S. Navy
- Integrated Common Processor
- F/A-18E/F Full Mod of the SBAR and Shut off Valve
- DDG-51 Lead Yard Services / Follow Yard Services
- U.S. Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
- Missile Defense Agency
- Technical Advisory and Assistance Contract
Why Are These Contracts Important?
These new pathfinder contracts serve as sort of gatekeepers to test the waters of this new system. All eyes will be on their operational capabilities to see how the individual contractors can navigate the regulatory guidelines.
Although only 15 contracts will be awarded in 2021, that does not mean that CMMC certification will be limited to those organizations. These pathfinder contracts will require an estimated 1,500 organizations to comply with CMMC, since CMMC compliance must be achieved by all suppliers, vendors, subcontractors, and businesses throughout the supply chain. The number of companies needing to certify will grow exponentially in the future as more contracts are announced and awarded.
Additionally, the government is still working on how to implement CMMC. The DoD has yet to determine whether the respective companies need to be compliant when bidding for contracts or if gaining compliance upon the awarding of a contract is sufficient.
Regardless of how the policies are executed, it is imperative to stay current with the directives so that your company is not left behind in the awarding of CMMC pathfinder contracts. These contracts serve as an opportunity to be in on the ground level of this new process and help shape the framework of the guidelines while still maintaining the work of your contract.
Basics of CMMC
CMMC stands for the Defense Department’s Cybersecurity Maturity Model Certification program. The previous iteration of the DoD’s cybersecurity program was initially implemented in 2015 with the Defense Acquisition Federal Regulation Supplement, or DFARS. This was intended to create aligned and uniform standards of cyber protection against all manners of both current and potential security threats.
Unfortunately, the method of contractors self-assessing their preparedness led to vulnerabilities, thus resulting in the necessity of the government creating and mandating further guidelines that increase accountability, including a standardized scoring methodology for self assessments and random audits.
According to Matt Brennan of SysArc, an IT service provider that provides CMMC consulting services, “Under DFARS, companies were previously allowed to self-certify to prove their compliance. However, under CMMC, these C3PAOs will enact equal standards across the board to ensure that the correct level of compliance is being met.”
The official CMMC program was announced in January 2020 with coordinated updates that followed, and rollouts will continue until 2025.
Previously, the government was operating with these contractors on a trust basis. Now, they will be handling the relationships with a verified model where the contractors rate themselves on a scale. The rating system functions through the DoD portal Supplier Performance Risk System (SPRS). The government officials will now conduct a follow-up, on-site visit where they will weigh the self-rated scores against the actual practices of the contractor regarding those cybersecurity guidelines.
The program will be fully operational in October 2025, with all applicable contracts expected to be fully compliant at that point.