Do I need to be certified?

disel56

New member
I don't produce "data" or "info," I am a manufacturer of goods for the government only. Do I still need to go through all of this?
 

erin

Administrator
Staff member
Disel56,

Long story short? Yes, you do.

Every government contractor needs to be CMMC certified. The great thing, however, about CMMC vs former requirements and regulations is that there are different Maturity Levels (ML), 1-5. They build on each other so ML1 is the easiest to achieve while ML5 is the most difficult. It's likely that you won't need to be certified anything greater than ML 3, possibly even just ML1, but you won't know for sure until you receive the contract, which will tell you what ML you will need to achieve to get the contract.
 
Last edited:

disel56

New member
How will I know that I'll pass the CMMC audit? And how can I be prepared if I don't know what ML I never to be? What if I fail the audit; will I lose my contract? This is all really stressful.
 

erin

Administrator
Staff member
Hi disel56,

I can absolutely understand how stressful this must be for you; unsure if you will pass the audit.

Fortunately, according to a presentation given last May by Ms. Katie Arrington, the Chief Information Security Officer, Office of the Under Secretary of Defense for Acquisition and Sustainment, they will start testing the accreditation program and process this year. After that, most likely in mid- to late- 2020, they will begin to accredit the auditors. Once the auditors are accredited, you can begin to become accredited; once that occurs, they will begin to add the CMMC requirements to all the contracts.

So basically, it appears they are going to give you some time to become accredited.

However, you may not know what level you will need to be, but even if you don't deal with data or info, ML3 is basically "best practices" when it comes to cybersecurity; so even if you aren't required to be ML 3, it's definitely a good goal to work towards and here is why:

  1. If you don't have sufficient cybersecurity measures in place, you can still get hacked. I imagine you use technology in some capacity? Imagine if they hack your machines and you are unable to produce your goods until you pay a ransom. That could not only cause you loss in inventory, but it may also put your contracts at risk.
  2. You should be NIST SP 800-171 certified already. If you aren't, you could lose your contract before CMMC is put into place because it means that you lied about being NIST certified, which is breach of contract. If you are NIST certified, it shouldn't be that difficult to pass the audit.
  3. It gives you a competitive advantage. It will allow you to win new contracts that may require ML3 AND if you are competing for a contract, you can let them know you have gone above and beyond.
So, while it is stressful, you do have time to make sure you pass the audit. It's better to start preparing now than it is to wait because these requirements take time to implement.

If you have any questions about what it will require to become CMMC certified, feel free to call us at 919-422-2607 or schedule a free online consultation with Craig.
 
Get CMMC Compliant With PTG's CMMC Compliance Tool Kit - Learn More
Top