With the accelerating announcements of the CMMC rollout last year and the subsequent updates that the DoD has released, there has been an industry-wide push to get cybersecurity fully implemented as contractors prepare to become CMMC certified.
For contractors anxious to know how CMMC will affect the process of awarding contracts, one announcement worth paying attention to is the DoD’s recently released guidance for program managers in charge of choosing contractors.
DoD Instruction 5000.90, or “Cybersecurity for Acquisition Decision Authorities and Program Managers,” provides specific instructions for PMs’ responsibilities regarding cybersecurity and what they should expect from vendors. Here are several main takeaways that DoD contractors should take note of from this CMMC guidance for project managers.
The DoD Is Taking CMMC Security Seriously as a Factor in Awarding Contracts
Although many contractors have built up industry relationships, even trusted partners can no longer award contracts solely on reputation or goodwill; project managers (PMs) are instructed specifically to pay attention to cybersecurity when examining vendors for contract eligibility.
In fact, they are given responsibility for ensuring that cybersecurity requirements are considered and included, meaning that PMs can and will likely be held responsible if security isn’t found to be up to par—giving the PMs higher incentive to ensure all cybersecurity requirements are followed.
The DoD has made it clear that they won’t do business with organizations that are falling behind these new requirements. This is why you can’t just check off the boxes. Cybersecurity is now a foundational requirement that must be met before an organization becomes eligible for new contracts.
What Are Project Managers Looking For in Terms of Security When Awarding DoD Contracts?
CMMC’s requirements are many, and they include completing a 110-step self assessment and POA&M, reporting your score to the SPRS, fully implementing your POA&M, and establishing cybersecurity maturity by maintaining the necessary level of security before being awarded a contract.
Here are just a few of the points that project managers are instructed to pay attention to when judging whether a contractor has met the necessary cybersecurity requirements:
- Protections against known and anticipated threats, as well as potential future vulnerabilities
- Continuous cyber threat analysis
- All aspects of security programs include operational cybersecurity and supply chain resilience
- Periodic threat-representative adversarial assessments to assess the ability of the cyber technologies in the materiel solution to complete missions in a cyber-contested environment.
- Continuously enforced security through the risk management framework (RMF) and supply chain risk management (SCRM) systems
These indicators represent just a part of the extensive instruction and CMMC guidance given for project managers to account for during acquisition. To ensure you fully meet the expectations of the DoD, you’ll need to ensure you meet all CMMC requirements and show established maturity in implementing the required measures, including those given above.
CMMC Cybersecurity Categories and Related DFARS Resources
One section of the DOD Cyber Guidance report that may be especially relevant and useful for contractors is the table summarizing CMMC categories and their correlating instructions from DFARS resources.
In this chart, you can find a summary of essential rules with cybersecurity pillars on the left, and DoD instructional resources relating to each standard on the right:
No Time to Waste in CMMC Preparation
This instruction to DoD project managers reinforces the idea that you not only need to be CMMC certified, but you also need to prove you’re continually meeting the s
tandards, even after your POA&M is implemented. That comes through maturity—the longer you’re established as an accredited CMMC contractor, the more credibility you’ll gain.
That’s why it’s vital to implement your POA&M as soon as possible instead of waiting until the last possible moment, so that you have months or years of having a successfully run cybersecurity program under your belt to prove you will be an asset to work with based on not only your services, but also your security.
Prepare for CMMC Certification with SysArc
Since 2017, we’ve helped over 150 contractors tackle DFARS, CMMC, the Interim Rule, and other updates and requirements in the world of constantly evolving cybersecurity for government contractors. We’re more than ready to help you with your CMMC readiness assessment, remediation, and gaining the maturity needed to be competitive in the industry.