The Cybersecurity Maturity Model Certification (CMMC)

In 2020, the Department of Defense announced a new strategic effort to provide enhanced cybersecurity efforts for their building projects going forward. The Cybersecurity Maturity Model Certification (CMMC) will ensure accountability for companies to implement cybersecurity standards to protect sensitive data during the design, build and operations of DoD facilities. Through research grants by the John R. Gentille Foundation and ELECTRI International, a video series, along with official DoD CMMC documentation, has been produced by MCAA’s Chief Security Fanatic, Nick Espinosa to provide ongoing updates on CMMC changes as the standard evolves and in-depth tutorials on all 110 CMMC Level 2 security controls. 

Recently, the DoD has opened their review and comment period with the formal rules expected to go online around the fourth quarter of 2024 or the first quarter of 2025. The self-assessment phase for the DoD’s Supplier Performance Risk System (SPRS) that must be completed by every contractor working on a DoD project has been live since 2020 and all contractors should already have submitted a score or working towards submittal. The next phase, after the contractor aligned their organization to the proper CMMC security controls, requires a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). This is an assessment of a contractor’s cybersecurity practices in order to achieve formal certification for three years. At this time, the CMMC draft rules are being used for certification and this process will continue as the formal rules soon become law. 

The CMMC program includes cyber protection standards for companies in the Defense Industrial Base (DIB). By incorporating cybersecurity standards and practices into acquisition programs, CMMC provides the DoD with assurance that contractors and subcontractors are meeting these cybersecurity requirements. For plumbing, mechanical and service contractors working on DoD projects, this means that they will have to formally document their required implemented cybersecurity controls through policies, processes and collected evidence, which also includes any cloud providers in use by the contractor who also must meet more stringent standards for data security known as FedRAMP Moderate.  

CMMC Control Family Videos:

Most Critical Documents from the DoD and NIST: