Who Needs CMMC Certification?

Any civilian organization or its subcontractors that engages directly with the Department of Defense (DoD) will be required to comply with one of three CMMC levels beginning in 2024.

1. Defense Contractors:

If your organization engages with the DoD and handles, processes, or stores Controlled Unclassified Information (CUI), CMMC Level 2 Certification is mandatory. Whether you’re a prime contractor or a subcontractor, you need to comply with the CMMC requirements that pertain to your handling of CUI.

2. Suppliers and Subcontractors:

Even if you aren’t a prime contractor, providing goods or services within the Defense supply chain makes your organization accountable for basic cyber hygiene and protecting CUI.  CMMC non-compliant companies will face increased competition from compliant companies and the likelihood of not qualifying for DoD contract awards which require  CMMC compliance.  In addition, CMMC non-compliance could result in losing valuable contracts.

3. Government Agencies:

Government agencies at the federal, state, and local levels handling CUI must also adhere to CMMC standards to protect national security interests.

Levels of CMMC 2.0:

CMMC 2.0 is structured into three levels, each with increasing cybersecurity requirements. The levels are:

This level requires organizations to perform basic cybersecurity practices and demonstrate fundamental cyber hygiene.  The organization may perform an annual self-assessment which then requires an Officer of the company with signature authority to sign and submit a self-attestation that the Level 1 controls have been met.

Level 2 practices are classified as advanced cyber hygiene practices (often referred to as intermediate cyber hygiene), which is a progression between Level 1 and Level 3.  CMMC Level 2 is is designed to further protect the handling, storage and processing of CUI.  Companies must obtain CMMC Certification tri-annually by an Authorized C3PAO.

CMMC 2.0 Level 3 applies to companies that handle CUI for Department of Defense programs with the highest priority.

Benefits of CMMC Certification:

1. Enhanced Security Posture:

CMMC ensures your organization’s cybersecurity practices are up to par, reducing the risk of data breaches and cyberattacks against your organization and the defense supply chain.

2. Compliance with DoD Requirements:

It opens doors for your company to support mission critical DoD programs that rely on sound cybersecurity practices to protect CUI. 

3. Improved Reputation:

CMMC Certification signals your commitment to cybersecurity best practices for your organization and the defense supply chain.  Achieving certification enhances your reputation as a trusted partner in the eyes of other DIB partners and clients.

4. Data Protection:

Protecting sensitive data is not only a legal requirement but also crucial for maintaining the trust of your stakeholders.

Consequences of not having CMMC Certification:

Non-compliance with CMMC Certification can have far-reaching consequences, one of which is the potential invocation of the False Claims Act. Here’s a closer look at the repercussions:

1. Contract Loss:

Without CMMC Certification, you risk losing current and potential DoD contracts, impacting your revenue and growth prospects. The government is committed to working with certified entities to ensure the protection of sensitive information and may disqualify non-compliant organizations.

2. Legal Ramifications:

Non-compliance may result in legal action, fines, or penalties for mishandling sensitive information, further tarnishing your reputation. The False Claims Act is a powerful legal instrument that allows the government to take legal action against organizations making fraudulent claims regarding compliance. Fines under the False Claims Act can be substantial, often amounting to three times the damages incurred by the government due to the false claim, plus additional penalties.

Coalfire Federal’s suite of Certification, Compliance and Advisory Services Include: