5 Things You Should Know: CMMC

CMMC has been a hot topic for federal government contractors of late, for good reason: once CMMC is rolled out, contractors under a particular Defense Department procurement must meet the applicable cybersecurity level, or they’ll be considered ineligible.

But in case you’re still wondering what CMMC is and why it matters, let’s take a closer look. Here are five things you should know about the Department of Defense’s new Cybersecurity Maturity Model Certification (“CMMC”).

1. What is CMMC?

At its most basic, CMMC is a certification of a company’s cybersecurity. There are five levels of CMMC certification, ranging from basic cyber hygiene practices (Level 1), all the way to the most sophisticated cybersecurity efforts for the most sensitive projects (Level 5).

I’ll confess, I’m not a cybersecurity guru. But DOD has published the CMMC model (v1.0) for contractors to review. Level 1 certification basically follows FAR 52.204-21. From there, each level adds various requirements and practices from NIST 800-171r1 or 800-171B.

2. Why does CMMC matter?

Beginning in mid-2020, DOD will begin assigning a CMMC level to every single procurement it issues. But because a cybersecurity requirement without any teeth to ensure compliance is just a cybersecurity recommendation, DOD has given CMMC a set of fangs: it has made compliance with the applicable CMMC level a mandatory element of contract eligibility. In other words, if an offeror doesn’t meet the CMMC level assigned to a solicitation, it won’t be eligible for that award.

That’s not all. Compliance with the applicable CMMC certification is required for any subcontractor under the opportunity, too.

Let’s say the Air Force seeks to award a contract for IT services at McConnell Air Force Base, in Wichita. Reviewing the requirements, the Contracting Officer believes that CMMC Level 4 is appropriate and assigns it to the procurement. Each prime offeror—and every potential subcontractor—must have a CMMC Level 4 certification (or higher) to be eligible.

Now let’s say the Air Force wants to issue a contract for grounds maintenance services at McConnel Air Force Base. Obviously, a CMMC Level 4 certification would be overkill in this situation; instead, Level 1 might be appropriate. So long as a company has the appropriate level certification, it will be eligible to bid.

3. How can your company get its CMMC certification?

CMMC certifications must be obtained through a third-party auditor. As of this writing in mid-February 2020, DOD has not yet announced who those auditors will be, or what that process will look like. DOD has said, however, that it will start including CMMC level requirements in requests for information as early as June 2020.

Helpfully, DOD has issued the draft model for review. I suspect that there will be a crush of audit requests once that process is formally announced. Companies would be well-served to begin reviewing and implementing CMMC v1.0 now.

4. Will CMMC cost your company money?

Undoubtedly, yes. Companies needing to boost their cybersecurity efforts in response to CMMC might need the assistance of specialists that can provide the needed equipment, software, and procedures. But even if your company has rigorous cybersecurity protections in place, it will have to bear the costs of going through an audit and receiving a CMMC certification.

Though CMMC compliance will cost money, there’s hope. The SBA and DOD have tried to provide assistance, where possible, to small business federal contractors. Your local Procurement Technical Assistance Center might have resources available, too. Importantly, moreover, DOD has announced that cybersecurity costs will be an “allowable cost” under DOD contracts, which could allow small business prime contractors the chance to recover some of the associated compliance costs.

5. Should you care about CMMC even if you don’t work with the Department of Defense?

Absolutely, for two reasons. First, it’s obviously good to have a robust cybersecurity defense, to help protect your business and customers.

Second, CMMC might be the wave of the future. The risks associated with data breaches and cyber intrusions don’t just affect DOD—every federal agency is at risk. So although CMMC is, for now, a DOD-specific initiative, it wouldn’t surprise me if Uncle Sam adopted a government-wide cybersecurity certification requirement to help protect its information.


It’s not hyperbolic to say that CMMC might be one of the most important federal contracting developments in recent memory. Going forward, every DOD contractor—prime or subcontractor, small business or large—must meet the required CMMC certification; and if it doesn’t, it will not be eligible for the award.

Questions about this post? Email us or give us a call at 785-200-8919.

Looking for the latest government contracting legal news? Sign up for our free monthly newsletter, and follow us on LinkedIn, Twitter and Facebook.