The Department of Defense (DoD) recently announced the development of the ”Cybersecurity Maturity Model Certification (“CMMC”)”, a standard aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain. This new standard will provide oversight for the current Defense Federal Acquisition Regulation Supplement (DFARS) requirement that contractors handling sensitive unclassified information should protect in accordance with the 110 security controls laid out by the National Institute for Standards and Technology (NIST) special publication (SP) 800-171.
The CMMC will require DOD contractor information systems to be certified by a third-party auditor starting in 2020 to 2021. A nonprofit organization will be authorized to oversee the program and accredit the outside, private-sector auditors.
The Current DFARS requirements call for contractors to carry out a self-attestation of compliance and documenting compliance via the System Security Plan (SSP) and Plan of Action and Milestones (POAM). This model has not worked and currently majority of Contractors are NOT compliant. Many Contractors are NOT aware of the standard while others are ignoring the requirements.
Key Takeaways from the CMMC Website Include:
- CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. The associated controls and processes for a given CMMC level, when implemented is expected to reduce risk against a specific set of cyber threats.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- The intent is for certified independent 3rd party organizations to conduct audits and report on risks.
Impact to Contractors
Details relating to the scope, breadth, and implementation of the CMMC are limited. However, the CMMC standard underscores DoD’s emphasis on implementing more stringent oversight requirements due to the continued cybersecurity phishing and ransomware attacks.
How We Can Help
CKSS understands the effects of the new CMMC standards on the DOD Community and has the capability to provide DOD contractors with guidance and support in complying with this new standard. CKSS is certified in the State of Maryland to assist DOD Contractors comply with DFARS and NIST 800-171 Requirements. Learn More