Level 1 certification will be required for all companies and institutions in contract with the DoD. Level 2 certification will be required for any contract handling CUI. At present, Drexel University plans to acquire a Level 2 certification.
A “C3PAO” or CMMC Third-Party Assessment Organization is an entity certified to provide consultative advice OR certifies assessments.
The National Defense Authorization Act Section 889 (NDAA 889) is an amendment to the Federal Acquisition Regulation (FAR). It prohibits government agencies from entering, extending, or renewing a contract with an entity using equipment, system(s), or service(s) classified as covered telecommunications and video surveillance equipment or services.
The US Government updates this rule periodically. In addition to the list of companies below and their subsidiaries and affiliates, the list of prohibited entities now includes other entities believed to be owned, controlled by, or connected to either the People's Republic of China or the Russian Federation.
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
- Kaspersky Labs
Drexel will have to certify that any equipment, systems, or services used in research or other work with the Government do not contain any covered telecommunications and video surveillance equipment or services covered under NDAA 889. Purchasing equipment and services from these vendors could jeopardize Drexel's ability to receive federal funding.
Meeting all CMMC requirements is important in order to remain eligible for DoD research contracts. Not being compliant may impact Drexel’s research status.
Individuals or groups seeking to do business with the DoD should:
- Review the Request for Information (RFI) and Request for Proposal (RFP) for the appropriate CMMC level.
- Ensure the appropriate cybersecurity measures in place for the required CMMC level.
- Possess the appropriate level of CMMC certification before accepting an award.
- Ensure compliance with the NDAA 889 regulation.
- Comply with the interim DFARS rule.