The Department of Defense (DoD) presented the latest step in an effort to quickly and efficiently secure the entire Defense Industrial Base (DIB) with best cybersecurity practices. The Cybersecurity Maturity Model Certification (CMMC) will act as a cybersecurity assessment model as well as a certification program. Subcontractors working for the DoD “will be evaluated upon the implementation of actual technical controls in addition to their documentation policies. These evaluations will lead to a level of certification of 1 to 5 [with] 5 being the most secure.” Subcontractors with higher certifications will be eligible to bid on more contracts.
The CMMC creates a simpler and more consistent framework for subcontractors to adhere to in response to the continuing demand for heightened cybersecurity measures. The model was built based upon cybersecurity requirements that should be familiar to companies and subcontractors within the DoD within the supply chain such as: NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032. But instead of measuring a company’s compliance to a set of regulations and controls, CMMC will measure the maturity of the company’s cybersecurity practices. For example, a company that gains level three certification will meet the requirements for NIST SP 800-171 and have an information security continuity plan in place. At level five, a company would “have ‘highly advanced cybersecurity practices’ and can respond at ‘machine speed’, according to the draft CMMC.”
In order to assist contractors in learning the new model, and the steps that will be required to attain each certification level, the DoD will be releasing a consortium in January 2020. By June the model will begin appearing in requests for information and in proposals by Fall 2020. The scale set forth by the Cybersecurity Maturity Model will determine whether a company will be allowed to bid on a contract. “The DoD will assess which CMMC level is appropriate for a particular contract and incorporate that level into Sections L and M of the RFP as a ‘go/no go’ evaluative determination.” It will be the contractor’s responsibility to attain certification through a third-party auditor. Higher certifications may require assessments conducted by a government assessor. The cost of these certifications will qualify as reimbursable costs.
The CMMC is the DoD’s attempt to level the playing field and to create a more consistent model for contractors to apply to the cybersecurity needs of the DoD supply chain. But there are some that see this new model as cumbersome and yet another long list of requirements that will pile on to the already long list of requirements currently in place. The DoD acknowledges these concerns. Katie Arrington, Chief Information Security Officer for DoD’s Office of the Assistant Secretary of Defense for Acquisition,
said she sees CMMC as, “a way to move past the array of disparate and scattered requirements and toward an environment that’s focused on protecting the defense supply chain.”