What is the DRAFT CMMC?

The  DRAFT CMMC, or the Cybersecurity Maturity Model Certification, is an upcoming standard being formed by the US Department of Defense  (DoD) in order to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in response to increasing cybersecurity threats. Once in place, the five maturity levels of the DRAFT CMMC will ensure that each DoD contractor and subcontractor has met the required security guidelines.

The DRAFT CMMC improves upon the current standard that protects CUI, NIST 800 – 171, by not mandating that each contractor must adhere to the same security standards; contractors that have little to no information to protect are not required to achieve the same maturity level as a contractor that has an abundance of controlled information. This greatly streamlines compliance by “right-sizing” requirements to each contractor.

While NIST 800 – 171 allows contractors to self-assess their compliance, the DRAFT CMMC mandates that every DoD contractor becomes certified by passing a compliance audit, conducted by a certified third-party assessment organization. Under the DRAFT CMMC, all contractors will need to have been audited against one the five maturity levels to be able to bid on government contracts.

Given that the DRAFT CMMC framework is not yet in practice, the Defense Federal Acquisitions Regulations Supplement (DFARS) regulations require that assessments continue to be conducted under the NIST 800–171 framework.

How RVR Can Help 

RVR is carefully monitoring the progression of the DRAFT CMMC, and we are currently able to work with your company to align your security program while aggregating and documenting the materials necessary to successfully demonstrate compliance within the NIST 800–171 framework. RVR’s team members are experienced in information security, and will leverage that experience to help architect your security program to align with the ever-changing compliance landscape.

Using the expertise garnered through years of experience, RVR team members can also conduct company assessments to identify gaps in your existing processes and procedures. Additionally, RVR can work with your company’s key leadership to support the automation and documentation of your existing processes while helping to implement new procedures based on industry best practices to mitigate future risk.

“The CMMC will greatly impact government contractors and subcontractors by eliminating the ability to self-assess, and mandating a 3rd party audit. Although this will be scary for a lot of firms, the changes that the CMMC makes around the scope of these audits will be largely beneficial because it will be “right-sized” to each organization.

With any new compliance roll out, there will undoubtedly be a lot of confusion. However, by partnering with RVR, and leveraging their decades of experience in cyber security and compliance, you can be assured that your firm will be ready for your CMMC audit and beyond.” – Jack Norman, Senior IT Consultant

*Please note that the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) requires the word “DRAFT” to be placed in front of “CMMC,” as the standard is not yet complete or released.