CMMC requires each organization to undergo a third party audit to determine the maturity of their information security controls. Your maturity level (1→5) is used to determine which RFPs you are “qualified” to pursue.
The CMMC level required to win a project will be listed in Request for Proposals (RFP) sections L and M and used as a “go/no-go decision.” This means that instead of the ability to bid, win a contract, and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to that CMMC level required in advance, to be eligible to win the bid.
Perhaps even more important, many Primes are requiring their pursuit team members to be CMMC certified — even in cases where the contract does not yet require it.
One last note to consider, if your current contract has a DFAR252.204-7012 clause, whether you choose to pursue CMMC Level 3 or not, you still are contractually obligated to be provably NIST SP 800-171 compliant. The DCMA/DIBCAC have been more aggressive about enforcing this, even leveraging the False Claims Act to enact fines on DIB organizations who are not doing what they have said they have done.
Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.
The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information in both the public and private sector. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Helping organizations like your’s prove you’re secure and compliant (so you can grow your businesses) is what we have done for dozens of clients over the last 10+ years.