So you are a defense contractor or maybe you are participating in a large defense contract. As a result, you may have heard that you need to comply with CMMC. Let's talk about what that is.
I'm Doug Barbin, managing principal, and chief growth officer at Schellman. Schellman is one of the first authorized C3PAOs or CMMC third-party assessment organizations. CMMC is the Cybersecurity Maturity Model Certification created by the Department of Defense, and it was created to provide a baseline security standard for government contractors that may handle sensitive information on behalf of the DoD. The program itself comes from a set of standards that have been around for some time, specifically the NIST 800-171 standard, which governs the use of sensitive information that is shared with defense contractors as part of doing work with the DoD.
What was needed, however, was a uniform program to oversee not just the larger defense contractors that may be handling sensitive information, but all of the subcontractors beneath them that may roll up as part of a larger defense contract.
If you take, for example, Raytheon or Northrop Grumman, they may have large (hundreds of millions of dollars) government contracts, and they may get sensitive information as part of that contract. At the same time, they may use a hundred or hundreds of subcontractors to perform services under that contract. Anyone in that chain who has access to or handles sensitive information (there's a variety of different types) would potentially fall under CMMC. What that means is that an organization such as Schellman may come in and perform an assessment of the security controls and requirements that a company has for handling that information.
So whether you're a defense contractor performing work directly for the DoD or potentially a subcontractor performing work for a larger defense contractor, contact us today to learn more about your potential obligations, what CMMC means to you, and how Schellman can potentially assist.