In January 2020, the Department of Defense (DoD) released the first model of the Cybersecurity Maturity Model Certification (CMMC), a tiered system of cybersecurity standards to be applied across the Defense Industrial Base (DIB). In December of 2021, the DoD rolled out CMMC 2.0, which builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. All defense contractors will see CMMC Level requirements in their government contracts by 2025. Contractors processing Controlled Unclassified Information (CUI) will be expected to maintain either a CMMC Level 2 or Level 3, which will be specified in the solicitation or RFP. 

This presentation will focus on understanding if you have CUI, how to become compliant with specific strategies for small business, and what to expect in a CMMC C3PAO assessment. BDO will additionally provide updates to the status of CMMC rulemaking. We could see CMMC appear in contracts as early as this summer or as late as next summer.