February 18, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year. In an effort to enhance supply chain security, the CMMC sets forth unified cybersecurity standards that DOD contractors and suppliers (at all tiers, regardless of size or function) must meet to participate in future DOD acquisitions. Through the CMMC, DOD adds cybersecurity as a foundational element to the current DOD acquisition criteria of cost, schedule, and performance. We have previously discussed CMMC on our Government Contracts & Investigations Blog.

CMMC Maturity Levels

The CMMC includes five levels of certification, with five being the highest or most secure. This table provides a snapshot of the focus areas, number of practices, and requirements at each level:

CMMC Maturity Levels

Source of information: CMMC v.1, Sec. 2.7.1, available here.

Timeline

The DOD has expressed its commitment to a “crawl, walk, run” approach to implementing the CMMC. So, although CMMC v.1.0 was released last month, there will be a five-year rollout period, with all new DOD contracts containing the CMMC requirement beginning in FY 2026, but some could start requiring it as soon as this summer.

Putting it Into Practice: Any company that does business with the DOD will need to comply with CMMC. Companies should review current CMMC materials, track new releases, and aim to comply with the requirements in preparation for a third-party audit as soon as possible.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Jonathan E. Meyer, Sheppard Mullin, International Trade Lawyer, Encryption Technology Attorney
Partner

Jon Meyer is a partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Mr. Meyer was most recently Deputy General Counsel at the United States Department of Homeland Security, where he advised the Secretary, Deputy Secretary, General Counsel, Chief of Staff and other senior leaders on law and policy issues, such as cyber security, airline security, high technology, drones, immigration reform, encryption, and intelligence law. He also oversaw all litigation at DHS,...

202-747-1920
Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a wide variety of matters relating to government contracts, including contract administration, procurement integrity, the FAR Mandatory Disclosure Rule, and GSA’s Multiple Award Schedule (MAS) Program.  In addition to her practice, Ms. Bourne writes frequently on legal and regulatory developments affecting the Government Contracts industry.

202-469-4917