The Department of Defense is drafting new CMMC Standards. These standards will replace NIST 800-171 on DoD RFIs and RFPs beginning in the Fall of 2020.
DoD Contractors will need to become CMMC Certified by at one of the five maturity model levels by a third-party assessor (3PAO) before bidding on a contract or subcontracting to a prime.
The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors.
The CMMC levels ranging from basic hygiene to stateof-the-art Cyber Security. New requirements do not allow for self-attestation.
Some good news though… DoD has determined that CMMC certification costs can be treated as “allowable costs” by contractors.
Performed
In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
Documented
In order to pass an audit for this level, the DoD contractor will need to implement another 46 controls of NIST 800-171 rev1.
Managed
In order to pass an audit for this level, the DoD contractor will need to implement the final 47 controls of NIST 800-171 rev1.
Reviewed
In order to pass an audit for this level, the DoD contractor will need to implement 26 controls of NIST 800-171 Rev B (Rev B is still in the public comments stage; 800-171 Rev 1 and its related documents are already approved).
Optimizing
In order to pass an audit for this level, the DoD contractor will need to implement the final 4 controls in NIST 800-171 Rev B.