[co-author: Nikole Snyder*]
Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year. In an effort to enhance supply chain security, the CMMC sets forth unified cybersecurity standards that DOD contractors and suppliers (at all tiers, regardless of size or function) must meet to participate in future DOD acquisitions. Through the CMMC, DOD adds cybersecurity as a foundational element to the current DOD acquisition criteria of cost, schedule, and performance. We have previously discussed CMMC on our Government Contracts & Investigations Blog.
CMMC Maturity Levels
The CMMC includes five levels of certification, with five being the highest or most secure. This table provides a snapshot of the focus areas, number of practices, and requirements at each level:
Source of information: CMMC v.1, Sec. 2.7.1, available here.
The DOD has expressed its commitment to a “crawl, walk, run” approach to implementing the CMMC. So, although CMMC v.1.0 was released last month, there will be a five-year rollout period, with all new DOD contracts containing the CMMC requirement beginning in FY 2026, but some could start requiring it as soon as this summer.
Putting it Into Practice: Any company that does business with the DOD will need to comply with CMMC. Companies should review current CMMC materials, track new releases, and aim to comply with the requirements in preparation for a third-party audit as soon as possible.
*Nikole Snyder is a law clerk in Sheppard Mullin’s Washington, D.C. office.