The Cybersecurity Maturity Model Certification (CMMC) program is aligned to the Department of War (DoW) information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the DoW with its contractors and subcontractors. The program provides the DoW increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process information considered sensitive to the DoW.
On December 26, 2023, the DoW released the proposed rule for CMMC which requires contractors, including suppliers/subcontractors, entrusted with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to implement cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information.
The first phase of CMMC implementation will begin November 10, 2025. CMMC assessment requirements will be implemented using a four-phase plan over three years. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1, and ending with full implementation of program requirements in Phase 4. This phased approach allows time to train assessors and companies to understand and implement CMMC assessment requirements.
Contractors should ensure they are prepared for the upcoming requirements of CMMC. Companies should make sure they have the appropriate investment across multiple groups within the organization, including cyber, information security, legal, compliance, supply chain and critical business stakeholders.
CMMC Assessments, based on the proposed rule, will be conducted by three different groups, based on level of achievement. Results of those assessments will be reported in DoW’s Supplier Performance Risk System (SPRS).
A senior official from a prime contractor and relevant subcontractors must provide affirmation of continued compliance with specified security requirements after each assessment, including POAM closeout, and on an annual basis thereafter. These affirmations will be entered electronically in SPRS.
The phases will be conducted as such:
For additional information please refer to the DoW CIO website.
In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, Suppliers are required to rapidly report cyber incidents within 72 hours of discovery.
The GDIT Cyber Security team responds to and investigates cyber security incidents related to misuse or abuse of GDIT information and information technology resources. A cyber security incident is defined as any event that adversely impacts GDIT data or information systems or is a real or suspected action inconsistent with GDIT Privacy or Acceptable Use policies.
If you experience, observe, or are made aware of activity which you believe may be related to a cyber security incident, immediately email the relevant information to CyberSecurity@gdit.com or call the GDIT SOC Hotline number 1-571-386-3500.