its correct functionality and cannot be turned off. Optional cookies are used to improve the page with analytics, by
Who is affected by CMMC? All government contractors working with the DoD will need to become CMMC-certified by passing an independent CMMC audit from a C3PAO to verify they have met the appropriate level of cybersecurity for their business. The CMMC level required will be specified for each contract by the DoD in the Request for Information (RFI) and Request for Proposals (RFP).
When will you need to meet the appropriate certification level? Government contractors will need to be compliant at the time the contract is awarded.
Are subcontractors affected? Yes, subcontractors working under a prime contractor will be expected to also maintain compliance.
What’s the difference between NIST 800-171 and CMMC? CMMC differs from NIST 800-171 because it includes five levels of cumulative practices and processes – this focus on processes is one major difference. CMMC seeks to institutionalize these processes, so that they will continue to be performed.
Will I need to be re-certified every year? Yes, CMMC certification is required on an annual basis.
Catch up on the latest Federal Compliance Webinar
Watch this exclusive Q&A series with Tony Bai, where he provides real insights on the latest in CMMC.
About our CMMC team
Federal Practice Lead
A 20-year Air Force retiree, Tony is responsible for overseeing NIST-based engagements, including FedRAMP, FISMA, and 800-171, and providing cybersecurity advisory and guidance to our clients. He has over 27 years of IT experience with the last 10 years specializing in cybersecurity, providing risk assessments for government agencies and Fortune 500 companies across multiple industries.
And when he’s not leading the federal team at A-LIGN? You can catch him at comic book conventions or supporting his children’s Boys and Girls Scouts troops.