The Department of Defense is reportedly poised to release a batch of 15 RFP’s that will include the new Cybersecurity Maturity Model Certification (CMMC) requirements.  CMMC requires that all companies handling government Controlled, Unclassified Information (CUI), have security standards commensurate with the type of information to be handled and appropriate to their specific role in working on the contract.  The CMMC roll-out has been expected for some time, but contractors can expect confusion on whether CMMC applies to specific acquisition actions.  Companies selling through commercial item and service contracts need to be prepared. 

So many people have CMMC on the brain that it is almost certain that some DOD buyers will have forgotten that the standard does not apply to commercial procurements.  Similarly, it does not apply on any contract that does not involve contractor handling of CUI.  Contractors should be prepared with a written fact sheet to counter any attempt to apply the standard where it should not be applied.  Subcontractors should also be prepared to show their prime contractors why they may not need to have CMMC certification for specific contracts.

Of course, some companies may elect to certify that they are CMMC compliant in order to meet persistent requests.  No company, however, should certify to something it doesn’t understand or hasn’t ensured it meets the requirements in play. The initial 15 contracts may be well-selected, but companies need to check other DOD procurements and understand what this new term means for them before signing up for it.