More than 300,000 DoD contractors and subcontractors make up the Defense Industrial Base, each scrambling to understand and implement CMMC certification initiatives. The process and timing makes them a valuable target for unscrupulous service providers. Find out why achieving CMMC compliance is out of reach today but what you can do now to prepare.
Defense contractors and the Department of Defense (DoD) have reported a notable increase in fraudulent, confusing, and misleading solicitations from service providers offering CMMC certification. These businesses seek to take advantage of proactive defense contractors who prioritize achieving CMMC compliance and will attempt to collect payment for services they are not equipped to provide.
How do we know these are false? Because there are no auditors for CMMC, yet. DoD Under Secretary Ellen Lord publicly spoke out against companies claiming to provide CMMC certification to contractors:
"Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD... so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department."
How will DoD offer CMMC certification?
The DoD itself will not be certifying companies for CMMC. Instead, the 13-member CMMC Accreditation Board (CMMC-AB) has been formed, including professionals from defense companies and leaders within the cybersecurity and academic communities. This accreditation board is responsible for establishing and certifying a group of CMMC third-party assessment organizations called C3PAOs and has released program details for the C3PAOs who will conduct the assessments. However, defense companies can’t wait to begin CMMC certification efforts and need to take every step leading up to the point of their CMMC certification audit.
What can DoD contractors do to prepare for CMMC compliance now?
Begin preparing for a CMMC Certification today
Defense companies should start by reviewing the cyber hygiene requirements needed for their desired compliance level and noting critical dates on the CMMC timeline:
While CMMC compliance cannot be reached until C3PAOs and independent assessors are certified, the DoD is already planning to require CMMC certification for RFPs by the end of the year.
If you are a defense company, you should be planning, drafting policies, deploying relevant solutions, and instituting company-wide policy changes now.
Make no mistake, claims from companies promoting services that get your organization to CMMC certification today are 100% false. While CMMC compliance cannot be reached until C3PAOs and independent assessors are certified, you can stay up to date on the latest CMMC developments by regularly visiting the DoD's website for updates or contact a defense cybersecurity IT firm like eTrepid for an initial readiness assessment.
Avoid Scams by contacting us to receive an educational consultation regarding your Gap Analysis and determine where your focus should, or join in on an upcoming webinar reviewing Compliance and CMMC Unmasked.