Ensuring the future of cybersecurity within the US Department of Defense.
Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense is in the process of publishing a five-level cybersecurity maturity model, known as the Cybersecurity Maturity Model Certification (CMMC) which will impact the entire defense industrial base. Unlike the current DFARS (NIST 800-171) requirement, the CMMC will require contractors, both prime and subcontractors, to undergo an independent third-party assessment ensuring a prescribed level of cybersecurity maturity has been achieved in order to qualify to be awarded contacts and receive funds from the DoD.
The details for the Cybersecurity Maturity Model Certification are emerging and will remain fluid for some time. However, we can address many of the most frequently asked questions below.
The CMMC has five defined levels of cybersecurity maturity, ranging from Level 1 (basic cybersecurity hygiene), to Level 5 (advanced/progressive cybersecurity capabilities). It is designed as means by which the Department of Defense can gauge a company’s ability to protect federal contract information (FCI) and controlled unclassified information (CUI). The CMMC prescribes both processes (policies) and practices (controls) across 17 cybersecurity domains for each maturity level.
Once fully implemented, the CMMC certification requirement will replace the current DFARS (NIST 800-171) requirement. CMMC Level 3 aligns nearly one-for-one to NIST 800-171 Revision 1. The CMMC framework combines various control standards including AIA NAS9933, NIST SP 800-171, NIST SP 800-53, ISO 27001, and ISO 27032 along with more general cybersecurity practices and processes into a singular unified standard for the Department of Defense. Specific to and in contrast to NIST SP 800-171, CMMC will implement multiple levels of cybersecurity rather than a binary classification, and will also not allow POAMs like the current DFARS requirement does.
According to the Office of the Under Secretary of Defense for Acquisition, Version 1.0 of the CMMC framework is expected to be published in late January 2020. It is currently estimated that the first requests for information (RFIs) from the DOD with the CMMC requirement will be released in summer 2020, and the first requests for proposals (RFPs) listing a designated CMMC level (listed in sections L and M of the RFP) are expected in October 2020.
The Department of Defense is migrating to the CMMC framework in an effort to enhance cybersecurity of the Defense Industrial Base (DIB) utilizing the CMMC as a form of verification for organizations working with DoD. CMMC will to ensure organizations have achieved “appropriate levels” of cybersecurity maturity in order to protect and defend controlled unclassified information (CUI).
C3PAO stands for CMMC Third Party Assessment Organization. C3PAOs will be primarily responsible for assessing organizations looking to do business with DoD. On certain occasions, some “higher level assessments” will be performed by the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
The CMMC has been created and managed by the United States Department of Defense. DoD funds will likely be utilized to fund the creation and management of a third party accreditation body that will qualify C3PAOs (CMMC Third Party Assessment Organizations). The C3PAOs, in turn, will act to assess organizations vying for DoD contracts within both prime or subcontract capacities.
At this time, the CMMC is only designed for uses pertinent to the Department of Defense.
No, there will not be an opportunity for organizations to provide their own internal assessments.
Cybersecurity Maturity Model Certification costs are not available at this time, though the Office of the Under Secretary of Defense for Acquisition & Sustainment cites that costs will be scale appropriately based on the level of cybersecurity maturity.