CMMC | KMK Construction

Notice of Upcoming Cybersecurity Maturity Model Certification (CMMC) Requirements

Dear Valued Subcontractor,

This letter serves as notice of upcoming cybersecurity compliance requirements affecting KMK Construction, Inc. (KMK) and its Subcontractors.

In 2016, the U.S. Government established regulations requiring contractors and subcontractors participating in the Defense Industrial Base (DIB) to implement cybersecurity controls, primarily under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

In recent years, the U.S. Government identified significant gaps in the DIB’s implementation of these requirements. To enforce compliance, the Department of Defense, in partnership with The Cyber AB, is finalizing the Cybersecurity Maturity Model Certification (CMMC) program. The final rule is being issued under Title 32 of the Code of Federal Regulations (CFR) and is anticipated to be published in mid-2025. Once effective, CMMC requirements will appear in Department of Defense solicitations and contracts, flowing down to subcontractors at all tiers.

KMK and its Subcontractors will be subject to these CMMC requirements. KMK is committed to assisting our Subcontractors through this transition. We recommend the following actions be undertaken:

Engage a CMMC consultant, compliance advisor, or Managed Service Provider (MSP), as needed. KMK can recommend reputable partners upon request.
Designate a CMMC Compliance Lead within your company. This individual should consider pursuing The Cyber AB’s Registered Practitioner (RP) and/or Certified CMMC Professional (CCP) certifications, becoming an internal compliance champion.
Register in the System for Award Management (SAM.gov) and the Procurement Integrated Enterprise Environment (PIEE) and perform a NIST SP 800-171 self-assessment within the Supplier Performance Risk System (SPRS).
Continue implementing and maturing NIST SP 800-171 controls, closing any identified gaps, and preparing for a CMMC assessment.
Engage in CMMC training opportunities, including webinars, seminars, and resources provided by The Cyber AB, DoD, and industry groups.

For your convenience, the following page provides helpful links and resources to assist with CMMC preparation.

Thank you,

Tyler Phillips

Vice President of Contracts & IT

Click here to learn more about becoming a subcontractor

Helpful Resources and Links for CMMC Preparation

1. Official CMMC Resources

The Cyber AB — Accreditation Body for CMMC:
https://www.cyberab.org/
Department of Defense CMMC Program Website:
https://dodcio.defense.gov/CMMC/

2. NIST SP 800-171 Resources

NIST Special Publication 800-171 Revision 2 (Protecting CUI):
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

3. Registration Platforms and Self-Assessment Platforms

System for Award Management (SAM.gov):
https://sam.gov/
Procurement Integrated Enterprise Environment (PIEE):
https://piee.eb.mil/
Supplier Performance Risk System (SPRS):
https://www.sprs.csd.disa.mil/

4. Additional Guidance and Tools

NIST Handbook 162 (Guide to Implementing NIST SP 800-171 for Small Businesses):
https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
Department of Defense Controlled Unclassified Information (CUI) Program:
https://www.dodcui.mil/