The Department of Defense Office of the Under Secretary of Defense for Acquisition and Sustainment has developed a new certification framework to address the risks posed by contractors with inadequate cybersecurity controls. All DoD contractors and subcontractors within the defense industrial base—estimated to be around 300,000 organizations—must be prepared to be independently audited and certified against one of the new Cybersecurity Maturity Model Certification’s (CMMC) five maturity levels.
CMMC requirements will be included in sections L and M of DoD requests for information in June 2020, and requests for proposals in Sept. 2020, with integration in contracts requiring CMMC certification spanning across the next few years. Organizations need to begin identifying and addressing their gaps against their target CMMC maturity level to lessen the risk of being disqualified when contract bids are released.
There are several critical things that organizations must know about the CMMC to begin aligning security processes, practices and controls:
How does the CMMC work?
The CMMC is modeled after different frameworks, but centers around the NIST Special Publication 800-171. Organizations are certified based on the level of risk to controlled unclassified information and federal contract controls by maintaining the full set of controls at the desired level.
What if we already comply with existing DFARS or NIST 800-171 requirements?
Compliance with these requirements is a great first step toward CMMC compliance, but the new guidelines establish new expectations and security controls that must be complied with.
What should organizations do to prepare for CMMC?
Doing nothing is not an option if organizations plan on doing business with the DoD moving forward. Some uncertainty still exists around CMMC, but many details have been published, providing a framework to start taking action in the coming weeks and months.
How can a third party assist with compliance?
Insight from an experienced third party can make the necessary adjustments to organization’s information security posture a more manageable task. An advisor can get companies ready for CMMC compliance, while also identifying opportunities to right-size cybersecurity programs.