If you are a DoD contractor, why is the year 2025 a critical date?

Cybersecurity Maturity Model Certification (CMMC)

Here are three (3) reasons:

  1. Cybercrime could cost the world as much as $10.5 trillion annually by 2025.1
  2. The Cybersecurity Maturity Model Certification (CMMC) is currently being rolled out and will be fully implemented by 2025.
  3. By 2025 CMMC will be a DoD contractual requirement and a condition for awards.

In number two (2) above, the critical point is that CMMC is currently being rolled out, meaning that this is a phased rollout, which means that you do not have to wait until 2025 to obtain the certification. We will discuss the certification process further below, but for now, let us begin with a few basics.

What Is the Cybersecurity Maturity Model Certification (CMMC)?

Part of the DoD’s focus on the security and resiliency of the Defense Industrial Base (DIB) sector involves working with industry to enhance the protection of sensitive information and intellectual property within the supply chain.

Therefore, the U.S. Department of Defense (DoD) is implementing the Cybersecurity Maturity Model Certification (CMMC) as a means of verifying and ensuring the cybersecurity of its supply chain.

Certification: For Whom and When?

CMMC impacts any and all organizations that provide goods or services to the DoD. As mentioned, it is currently being rolled out with some contracts already requiring the certification. CMMC will be fully implemented on October 1, 2025. At that point, CMMC will be a DoD contractual requirement and a condition for award.

CMMC impacts more than 350,000 U.S. organizations in the Defense Industry Base (DIB). It is interesting to note that approximately 74 percent of DoD contractors are small businesses. So, if you thought that only big companies win DoD contracts, think again! There are thousands of opportunities for small and mid-market companies to win lucrative DoD contracts.

It is also true that the five (5) largest DoD contractors – Lockheed Martin, Boeing, Raytheon, General Dynamics, and Northrop Grumman – regularly subcontract to other, smaller companies. So, this is yet another opportunity. And if you are wondering what the contracts are for, in FY2020, 51% of total DoD contract obligations were for services, 41% for goods, and 8% for research and development (R&D).2

CMMC Certification: Why?

We already have DFARS (Defense Federal Acquisition Regulation Supplement) and the NIST (National Institute of Standards and Technology. Do we really need more regulations, more certifications? We hear about hackers and cybercrime all the time. But how pervasive and dangerous is it?

The theft of intellectual property (IP) and sensitive information from all U.S. industrial sectors due to malicious cyber activity constitutes a significant threat to our economic security and national security. It is estimated that over a 10-year period, cybercrime could cost the U.S. economy as much as $1.9 trillion dollars.3

Yes, CMMC will protect the DoD and its supply chain. But it will also protect our economy, national security, and all the contractors and subcontractors. CMMC will also protect you.

The Certification Process

The certification for CMMC is composed of five (5) maturity levels with progressively more demanding requirements on processes and practices.

Of course, there is a great deal of specificity under each heading, for both processes and practices. As you might imagine, risk levels determine what level of certification is required for a given project. That information is provided right off the bat when an RFP (Request for Proposal) is issued. Some projects may require only a Level 1 certification, and others may require a Level 5 certification.

For example, the DoD is sending out an RFP to print and bind Stealth Fighter Jet operational manuals. Company A is bidding on that project which requires Level 5 certification. Your company, Company B, is bidding on providing just the blank paper for the manuals, and that requires only Level 1 certification. There may be other elements of the project that require Level 2 or 3 or 4 certifications.

The point is that every project has a designated certification level, clearly indicated on the RFP, so you do not waste your time bidding on projects for which you do not have the proper clearances and certifications.

To be honest, meeting the requirements for each certification level is not a walk in the park if you go it on your own. Fortunately, Microsoft has developed a program that provides Microsoft Partners, like Strategic Systems Group (SSG), the tools to work with clients like you to help you achieve each successive level of security certification.

We can get you started on your CMMC compliance journey with:

  • Advisory services
  • Gap assessment, analysis, and remediation
  • Tool consolidation
  • Minimization of threat landscape
  • Reduction of the total cost of security operations
  • Training
  • Managed security services

We can work with you every step of the way so that by the time 2025 rolls around, and you will have the certifications you need to win those lucrative DoD contracts.

Strategic Systems Group (SSG)

Strategic Systems Group, a trusted long-term Microsoft Partner, has worked with manufacturers, distributors, and service organizations for 30 years. As such, we are ideally positioned to help clients win DoD contracts, whether you have already worked for the DoD and want to continue doing so, or you have never worked for the DoD and want to start.

Take the next step…

Get started—gear up for the DoD’s new CMMC requirements. Call Strategic Systems Group (SSG) at (310) 539-4645 or reach out via our contact form today!

Related Post

Enterprise Resource Planning (ERP) for Aerospace and Defense Manufacturing

1Cybercrime to Cost the World $10.5 Trillion Annually by 2025, Cybercrime Magazine, November 13, 2020

2Defense Primer: Department of Defense Contractors (fas.org)

3Federal Register:: Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)