CMMC advice

CMMC Official Advises Companies to Pursue Accreditation Early

The Cybersecurity Maturity Model Certification Accreditation Body has advised defense contractors not to hold off on pursuing CMMC accreditation once audits become available.

CMMC-AB CEO Matthew Travis said that companies should seek certification even before it becomes a requirement in defense contracts, National Defense Magazine reported Tuesday.

“You can think of a lot of different financial incentives as well as qualitative incentives,” Travis told National Defense Magazine, noting that the Department of Defense offers benefits to companies that seek CMMC certification without being required to by a government contract.

Travis added that voluntary CMMC accreditation signals to the DOD and the industry that a company is conscious about its cybersecurity status, especially in the wake of the major cybersecurity incidents of 2021.

CMMC certification will eventually become the “coin of the realm” in government contracting, Travis said, claiming that there will come a time when defense companies will stand out for not being accredited.

In late 2021, the DOD implemented its “CMMC 2.0” policy to restructure the program’s system for evaluating cybersecurity maturity.

CMMC 2.0 reduced the number of maturity levels by focusing on the most critical requirements. The revamped CMMC program also leans on widely accepted standards, including one developed by the National Institute of Standards and Technology.

The new regime allows companies to conduct self-assessments for Level 1 accreditation. Travis said that companies may still turn to certified third-party assessment organizations in lieu of self-attestation.

Redspin, one of the five only C3PAOs, said that the demand for Level 1 audits has remained high despite the changes in CMMC policies.