The cybersecurity certification process announced by the Department of Defense in January finally takes effect on November 30, 2020.
This new certification process, known as the Cybersecurity Maturity Model Certification (CMMC), “provides a methodology for assessing DoD contractor compliance with security requirements as outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 for the protection of Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.”
In layman’s terms, CMMC is a framework for assessing the cybersecurity environment and policies of companies contracted through the Defense Industrial Base (DIB). The framework encompasses five certification levels reflecting the maturity and reliability of an organization’s cybersecurity infrastructure and controls, and their ability to safeguard sensitive government information.
The levels are cumulative, meaning compliance with a higher level requires meeting all of the previous lower level security and technical specifications. As you can imagine, DoD contracts with more vulnerabilities will require contractors to meet higher security standards, indicating a higher certification level will be necessary. Other than the fact that Level 3 contracts and higher will deal with significantly more CUI, specifics regarding which types of contracts are associated with each certification level have not yet been released.
As the DoD plans to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS), contractor compliance will become a requirement for contract award beginning with some RFPs and RFIs this year and culminating with all contracts for fiscal year 2026. Prime contractors as well as their subcontractors will have compliance requirements, so businesses of all sizes may need to have CMMC on their radar.
What Are the CMMC Certification Requirements?
Complete details of the certification requirements have yet to be published but capability domains are known to include:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Process Maturity
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Prior to the CMMC, companies could self-certify their compliance under the applicable Defense Federal Acquisition Regulations (DFARS). Because companies were not previously required to provide evidence that they were following the best security practices, this process allowed companies with security gaps to continue to provide products and services to the DoD and inevitably led to breaches, disruptions, and other IP theft in the defense supply chain.
Under the CMMC, companies must be audited by a certified third-party assessment organization (C3PAO) to achieve compliance. The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) as well as individual assessors. Contractors can learn more about the accreditation process and eventually secure services from a C3PAO once they are available via cmmcab.org/marketplace.
Meanwhile, contractors are encouraged to prepare their organization to meet standards proposed above by beginning to adopt and document many of the best practices already outlined by other security standards providers and offered by Carmichael Consulting.