A CMMC audit will depend on several factors, including the size of your business and the type of work you do. If you work with any type of sensitive information – such as personal data or financial records – then you will almost certainly need to undergo a CMMC audit.
Department of Defense
Even if your business doesn’t handle sensitive information, you may still be required to have a CMMC audit if you want to do business with the US Department of Defense. The Department of Defense (DoD) is now requiring contractors to be certified under the Cybersecurity Maturity Model Certification (CMMC) program in order to bid on and win contracts. This means that if your business wants to continue working with the DoD, you will need to get certified.
Controlled Unclassified Information
There are a few factors that will determine whether or not your business will need to go through the CMMC audit process. The first is the type of contract you are bidding on. If you are bidding on a contract that requires access to Controlled Unclassified Information (CUI), then you will need to be certified under CMMC.
DoD Supply Chain Risk Management (SCRM)
Another factor that will determine whether or not you need a CMMC audit is if your business is part of the DoD’s Supply Chain Risk Management (SCRM) program. SCRM is a voluntary program that businesses can opt into if they want to work with the DoD. If your business is part of SCRM, then you will need to go through the CMMC audit process.
Publicly Available Information
The last factor that will determine if you need a CMMC audit is the type of information your business has access to. If your business has access to any publicly available information (PII), then you will need to get certified.
Consult with a CMMC Assessor
If you’re not sure whether or not your business will need a CMMC audit, the best thing to do is to consult with a qualified CMMC assessor. They will be able to evaluate your specific situation and give you advice on whether or not you should pursue certification.