Many DoD contractors still believe they won't be required to comply with the Cybersecurity Maturity Model Certification (CMMC), but that's no longer the case. Since Q4 of 2024, CFR 32 Part 170 has been finalized and mandates CMMC compliance for all contractors processing, storing, or transmitting CUI (Controlled Unclassified Information) and FCI (Federal Contract Information).
Tip 1: Complete and Submit NIST 800-171 Self Assessment • Contractors must score themselves using NIST 800-171 and report their results in the Supplier Risk Performance System (SPRS). • Contracts have likely required this since 2017, but many companies have misrepresented their compliance.
Tip 2: Determine the Required CMMC Level
• Level 1: If the contractor only handles FCI.
• Level 2 or 3: Required for handling CUI or Controlled Technical Information (CTI).
• The contract's "Reps and Certs" section should indicate the expected level.
Tip 3: Develop a Comprehensive System Security Plan (SSP)
• This document should detail how sensitive information is managed and protected.
• It's the first item an assessor will review before beginning an audit.
Tip 4: Build a POA&M (Plan of Action & Milestones)
• Use your NIST 800-171 score to identify and track remediation efforts via a formal POA&M.
• This becomes the roadmap to certification readiness.
If you have questions or further information, I am offering a free consultation. I can reached at 210-582-5814.
