The Defense Logistics Agency's Plan to Implement CMMC Requirements
If you are a government contractor serving the Department of Defense (DoD), then you are part of an elite group of organizations that make up the Defense Industrial Base (DIB). The Cybersecurity and Infrastructure Security Agency (CISA) estimates the DIB to be made up of more than “100,000 companies and subcontractors working under contract for the Department of Defense at any given time.”
As part of the DIB, you are subject to the Cybersecurity Maturity Model Certification, or better known as CMMC. CMMC is a set of cybersecurity standards created to ensure the DIB and other relevant government contractors are properly protecting sensitive unclassified information.
In July, the Defense Logistics Agency (DLA) released a notice in their newsletter clarifying their planned implementation of CMMC requirements as directed by the Interim Rule 2019-D041. In addition to this statement, the DLA also announced certain requirements that contractors need to follow starting August 16, 2021, if they want to be considered for contract renewal or award. Let’s dive into what you should know about CMMC and how it affects you as a government contractor.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
By now most if not all DIBs should be aware of what CMMC encompasses and the five maturity levels that range from "Basic Cybersecurity Hygiene" to "Advanced/Progressive.” The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract awards going forward.
CMMC is based on trust but adds the important verification component with respect to cybersecurity requirements. A goal of CMMC is to be cost-efficient and affordable for all businesses to implement, including small businesses. Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates.
Why is CMMC Needed in the DIB?
In the past, the provision at DFARS 252.204-7019, “Notice of NIST SP 800-171 DoD Assessment Requirements,” allowed for DIB contractors to conduct self-assessment to protect agencies, contractors, and stakeholders from cyber threats. But how has self-assessment, certifying, and reporting worked in protecting intellectual property (IP) and national economic and security?
Well, not particularly a stellar record, as the theft of IP and sensitive information undermines our nation's defense posture, economy, and supply chains and global costs last year are estimated at $600 billion, and with an average cost per American of $4,000. Ongoing cyberwarfare driven by nation-states, ransomware consistently disrupting private and public sector organizations, and the supply chain adds to it all.
This has all lead to a major push for modern, resilient cybersecurity measures that are not "nice to have," but these are "must-have" priorities for the U.S. and global economies, and national security.
That is why a standard framework like CMMC is needed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector.
What Government Contractors Need to Know About the Upcoming CMMC Requirements
DIB contractors cannot afford to ignore CMMC requirements any longer, as it is being phased in and starting to show up in notices, requirements, and solicitations.
As mentioned earlier, the Defense Logistics Agency (DLA) July newsletter put out a notice with the purpose to "clarify DLA’s planned implementation of Cybersecurity Maturity Model Certification Requirements (DFARS clause 252.204-7021) as directed by the DFARS Interim Rule 2019-D041."
Starting October 1, 2025, the CMMC will apply to all DLA solicitations and contract actions above the Micro-Purchase Threshold.
In addition, the DLA directed a phase implementation in Fiscal Year (FY) 2021 and plans to finish by FY 2026. The DLA expects to identify pilot acquisitions (acquisitions that include CMMC) in the following quantities:
- FY21: 1 new acquisition
- FY22: 5 new acquisitions
- FY23: 17 new acquisitions
- FY24: 22 new acquisitions
- FY25: 32 new acquisitions
Another important notice from the DLA in July states that starting August 16, 2021, contractors will NOT be considered for new or renewal contract awards UNLESS they have:
- Assessed their cybersecurity against NIST 800-171 and within in the last 3 years
- Scored it using the NIST required method
- Reported it via the DoD Supplier Performance Risk System (SPRS).
Up to this point, DIBs could attest to meeting NIST 800-171 and working the Plan of Action and Milestones (POAM) that would suffice many contract requirements. Not any longer in the age of nearly daily data breaches, hacks, and IP theft.
The fact is, if you want to be part of the DIB and serve the DoD and DLA contracts, then you must complete the above requirements if you want to be considered for new or renewed contract awards.
Regarding SPRS scores, we were unable to ascertain if there is a minimum score to participate in contracts, but we suspect this will be used as a differentiator on pursuits and a minimum threshold will be implemented. As with a personal credit score or a student’s GPA, the higher the score, seemingly the better or more successful the candidate or student. It's probably not going to be any different with government contractors' SPRS scores.
Are You Prepared for the Upcoming CMMC Requirements?
Now is the time to take the necessary steps to demonstrate your organization is committed to protecting your company. These two notices are solid examples that the DoD and DLA are serious in requiring DIB contractors to prepare for CMMC now. These requirements and others are also being implemented across government agencies, within new and renewal contracts, RFIs, and software, are all going to be vetted per Biden’s Presidential Cyber Executive Order.
For more information on CMMC requirements, audits, or the process in general, you can reach out to the Winvale team and we’ll point you in the right direction. If you want more information on CMMC, you can check out these resources:
- CMMC: What Contractors Should Know
- CMMC Model and Assessment Guides
- CMMC Audit, Consultation and NIST Experts from our partner Beryllium InfoSec.
- Project Spectrum is supported by the DoD Office of Small Business Programs, and provides information, training, and risk assessments to help vendors improve cyber readiness and comply with DoD requirements.
- Procurement Technical Assistance Centers (PTACs) provide vendors free assistance, including assistance related to DoD cybersecurity initiatives, to help them pursue contracts from DLA and other federal agencies.
About Thad Chappell
Thad Chappell is a Channel Manager for Winvale’s Public Sector department. Thad brings vast experience in account management, business development, as well as channel and partner development across many technical domains. He has experience with go-to-market strategies for start-ups and emerging technologies as well as stints as the sales and territory manager at public and SMB companies serving customer missions with a focus on customer and partner success.