The Department of Defense has announced a new initiative to more effectively secure the Defense Industrial Base (DIB) against cyber risks. This new initiative, called The Cybersecurity Maturity Model Certification, or CMMC, is aimed enhancing the protection of controlled unclassified information (CUI) within the supply chain. The need for a revised and more rigorous framework became apparent with several high-profile breaches of DoD information in recent years, especially as cyber threats from Nation State Actors are becoming more prevalent.
The CMMC model will be based on existing cybersecurity standards and best practices and will map these controls and processes across several maturity levels ranging from basic cyber hygiene (level 1) to advanced (level 5). The CMMC model expands on the current DFARS regulations (DFARS 252.204-7012) which are often self-assessed, and adding a verification component.
With CMMC, part of the evaluation process will assess the technical controls contractors have implemented, in addition to policies and procedures documentation, as part of the evaluation process. Certified third-party companies, serving as auditors, will be needed to verify the contractor’s certification level. Companies with higher scores will be eligible to bid on a greater number of contracts and opportunities. The certification requirement will also flow down to all subcontractors, requiring a greater level of substantiation for primes.
All future Request for Proposals (RFP’s) will require a CMMC level. DoD is planning to release the first iteration of the CMMC framework in early 2020 and begin incorporating CMMC requirements into RFP’s by mid-2020.
To help contractors navigate these new requirements, the Office of the Under Secretary of Defense for Acquisition and Sustainment has created a dedicated website with information on the proposed CMMC framework, and FAQs. Some key highlights are:
The first implementation of the CMMC framework will focus only on DoD. This could be expanded once the program has been more thoroughly vetted.
CMMC will apply to all companies, and their subcontractors, doing business with the DoD requiring certification.
DoD is developing the CMMC framework by combining various existing cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032. This new model will go beyond merely measuring compliance and look at the organization’s institutionalization of cybersecurity best practices.
The CMMC levels will range from 1 as basic cyber hygiene to 5 advanced. These levels will determine contractor’s eligibility to bid on RFP’s. DoD will determine what level is required on a per contract basis, based on the scope of the project, data sensitivity and potential cyber threats.
Certifications will largely need to be carried out by 3rd party auditors. Some higher-level assessments may require government assessors, including requiring activity personnel, the Defense Contract Management Agency (“DCMA”), and the Defense Counterintelligence and Security Agency (“DCSA”). As of yet, it has not been disclosed what qualifies as a higher-level assessment.
Organizations currently doing business with DoD should start exploring CMMC certification to ensure there is no interruption of contract awards or other business opportunities. Undergoing a thorough evaluation and risk assessment will further help improve an organizations certification score. Incorporating proper enterprise risk management practices and response plans will be integral to achieving higher level certifications.