GovCons: CMMC Impact on Financial Systems

Rose Report: Issue 41

By Ted Rose, President and CEO, Rose Financial Solutions

We’re all aware of the growing number of cybersecurity and data breach concerns our nation faces. According to Ellen Lord, the undersecretary of defense for acquisition and sustainment, “Cybersecurity risks threaten the industrial base, national security, as well as partners and allies.” To mitigate cyber threats, in January 2020, the Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC). The CMMC is far-reaching and will impact approximately 300,000 firms in the Defense Industrial Base (DIB) that will need to meet the new standards in order to seek contracts.

The CMMC is comprised of multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” According to the DoD, CMMC is intended to serve as a verification mechanism to make sure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect Controlled Unclassified Information (CUI) that resides on the Department’s industry partners’ networks. Along with CUI, the CMMC aims to protect Federal Contract Information or FCI. This is information provided by or generated for the U.S. government under a contract that is not intended for public release.

CMMC and Your Financial Systems
As you prepare your company to meet the new standards, it’s important that you do not overlook your accounting and financial systems. Keep in mind it is highly likely that your financial systems include FCI. As such, CMMC would require that your financial systems meet at least Level 1 practices. FCI will likely impact accounting, HR, payroll, email contracts, and BDS systems. You’ll need to consider exactly how this will affect your hosted accounting software and email services as well as your other service providers’ systems. Your goal should be to maintain at least the CMMC Level 1, in some cases, it may be necessary to move to Level 3.

CUI will be defined by your contract. You should discuss your contract with your contracting officer to clarify the presence of CUI. If your financial systems include CUI, you will require to maintain at least CMMC Level 3. If possible, eliminating CUI from your financial systems will reduce the CMMC requirement from Level 3 to Level 1. If this can be accomplished, we recommend that you follow a similar procedure that we see currently utilized for classified information, including using redactions, code words for contract names, and similar tactics. For more information on CUI, visit the National Archives website.

When implementing CMMC standards, make sure that you source providers with CMMC awareness and adequately-compliant financial systems. In October 2020, the DoD issued an interim rule implementing CMMC cyber rules for all DoD contractors. Effective November 30, 2020 contractors may not be awarded contracts, nor can they award sub-contracts, unless they, and their subcontractors, have performed self-assessments and reported those results to a DoD website. Third party verification will be required on certain contracts and will be rolled out and required on all contracts by September 30, 2025.

Please consult with your accountant about all of these issues as soon as possible. CMMC implications are rapidly evolving, and this article represents the information that we have up to the date of the article being published.

About the Author
Ted Rose is President, CEO, and Founder of Rose Financial Solutions (RFS). Ted founded RFS 26 years ago and is a recognized pioneer in finance and accounting outsourcing (FAO) and related accounting technologies. RFS is the leader in the next generation of FAO called Finance as a Service for Government Contractors. RFS’ GovCon FaaS encompasses the full range of GovCon/DCAA finance and accounting solutions including full lifecycle compliance for start-ups to $100 million GovCons. For more information please visit: rosefinancial.com.