We have discussed in three previous Deal Notes® (DN®003, DN®108, and DN®151) the effort of the US Department of Defense (DOD) to develop a methodology by which dramatically improved cybersecurity protection could be achieved throughout the US DOD contractor and subcontractor supply base.

The goal is to develop an assurance system to better protect the dissemination of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on unclassified computer systems within the DOD supply base.

Work began in 2010 and has evolved over the past 15 years to a compliance system known as Cybersecurity Maturity Model Certification (CMMC). This model has been codified in the Defense Federal Acquisition Regulation Supplement (DFARS) such that the DOD, on all new DOD procurements, can assign a required level of compliance that is necessary to perform the contract that must be achieved prior to work commencing on the contract.

Application of the CMMC requirement by the DOD has begun and is being phased throughout 2025 and 2026. We believe that it is in the best interests of middle-market defense companies to become compliant as soon as possible. There are three levels of compliance, and your choice of level is dictated by your DOD contract. In general, those companies with significant CUI and FCI requirements will require Level 2 or Level 3 certification.

The process to become compliant with CMMC Level 2, for example, will generally take six to twelve months, hence the urgency to begin the process if you have not yet started. The basic specification requirements are in NIST SP 800-171Revision 2, and the compliance methodology typically consists of a self-assessment followed by three-year third-party audits.

We highly recommend that your organization become very familiar with the CMMC requirements, for which there are several resources. The most comprehensive website is: https://dodcio.defense.gov/CMMC/. We recommend beginning with this website.

After 15 years, CMMC is with us in the middle market defense business. Time’s up, it’s time to become compliant.

Have a great day!

Bruce Andrews
Partner