CMMC Check-in: What Should your Firm be Doing Today to Prepare for the Spring 2023 Requirements?-CMMC Check-in What Should your Firm be Doing Today to Prepare for the Spring 2023 Requirements Slides

CMMC Check-in What Should your Firm be Doing Today to Prepare for the Spring 2023 Requirements Slides

Pdf Summary

The presentation by Isaias “Cy” Alba, IV, Partner at PilieroMazza PLLC, and Tom Tollerton, Principal at FORVIS, LLP, covers critical compliance topics for government contractors: Cybersecurity Maturity Model Certification (CMMC) and Section 889 of the National Defense Authorization Act (NDAA).<br /><br />CMMC 2.0, streamlined from five to three levels, mandates cybersecurity standards for Department of Defense (DoD) contractors based on the sensitivity of information handled—Federal Contract Information (FCI) for Level 1, Controlled Unclassified Information (CUI) for Levels 2 and 3. Unlike earlier iterations, CMMC 2.0 aligns fully with existing regulations (e.g., FAR 52.204-21, NIST standards), allows Plans of Action & Milestones (POAM) for partial compliance, and applies to all DoD contractors at contract award, including subcontractors. Certifications involve assessments by authorized third-party assessment organizations (C3PAOs) certified by the independent Cyber AB. Challenges include defining CUI scope, securing cloud service providers that meet compliance, and managing a certification ecosystem still in development with limited authorized assessors available.<br /><br />Section 889 bans U.S. federal agencies and contractors from procuring or using telecommunications equipment or services from specified Chinese companies (Huawei, ZTE, Hikvision, etc.) or any entity controlled by the Chinese government. The ban applies to all executive agencies and prime contractors across all contract types without exemptions for small businesses or commercial items. Contractors must perform diligent reasonable inquiries into their own and subcontractors’ equipment and report prohibited items promptly, ensuring mitigation efforts. Subcontractors may use banned equipment in their business but cannot employ it in federal contract performance.<br /><br />The evolving regulatory landscape requires contractors to adopt robust cybersecurity compliance plans, conduct thorough vendor and IT provider due diligence, and prepare for increased DoD oversight and audit activity to maintain eligibility for federal contracts.

Keywords

CMMC 2.0

Cybersecurity Maturity Model Certification

Section 889 NDAA

Department of Defense contractors

Federal Contract Information (FCI)

Controlled Unclassified Information (CUI)

Third-party assessment organizations (C3PAOs)

Cyber AB certification

Telecommunications equipment ban

Government contractor compliance