Companies handling “controlled unclassified information” CUI and “federal contract information” will need to earn a Cybersecurity Maturity Model Certification (CMMC).
Companies with DFARS clause 252.204-7012 in their DoD contracts are already required to implement NIST SP 800-171. DFARS clause 252.204-7012 was included in contracts that involved handling “controlled unclassified information” (CUI). As a result it can be deduced that these companies will have a CMMC requirement of level 3 or higher.
Companies only providing Commercial-Off-The-Shelf (COTS) products to the DoD may not require a CMMC certification . Commercially available off-the-shelf (COTS) are commercial items (as defined in paragraph (1) of the definition at FAR 2.101), sold in substantial quantities in the commercial marketplace, offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. COTS do not include bulk cargo, as defined in section 3 of the Shipping Act of 1984 (46 U.S.C. App. 1702), such as agricultural products and petroleum products.
Summary: All companies with a DoD contract who handle either “controlled unclassified information” (CUI) or information that is “for official use only” (FOUO) will need to earn a CMMC certification.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.