CMMC Updates

The Department of Defense (DoD) will soon require all companies in the DoD supply chain to become certified in what is referred to as the Cybersecurity Maturity Model, or CMMC. The CMMC is to be implemented in 2020 and will require all companies who wish to conduct business with the DoD to become officially certified within this new standard. Additionally, the CMMC will also require every DoD contractor to have computer systems certified in order to bid on DoD Request-For-Proposals (RFP). The CMMC program is to be the new standard for cybersecurity, replacing the 2016 NIST SP 800-171. The CMMC initiative also includes substantial contributions from external DoD entities, to include private sector and academic institutions such as Carnegie Mellon University. Below are some of the key highlights of the CMMC:

Key Highlights

• The CMMC will be the sole and preeminent standard used across all DoD contracts starting in 2020-2021.
• DoD contractors will need to be certified at a specific security level just to qualify. In essence, if you can’t pass the test – you won’t be allowed to bid. Period. Everything may come down to an eventual “go/no-go decision” which will determine whether a company can be awarded a DoD contract. Thus, receiving a “no go” decision can be devastating.
• The CMMC deployment will include software for third-party cybersecurity certifiers to audit DoD contractors. This program will automatically gather data and report efforts back to the DoD. In other words, there is no sidestepping the CMMC. You will be monitored. However, this also brings up another question, but from a threat intelligence perspective: What happens if the monitoring software itself becomes compromised ON the third party network?
• The CMMC will consist of 5 levels; Basic Hygiene (Level 1) to “Advanced” (Level 5)
• First delivery of CMMC Version 1.0 is targeted for January 2020 with third-party audits to begin shortly after.
• The CMMC will use a non-profit organization to oversee the program and accredit private-sector auditors.
• There is no word on how long an awarded CMMC certification will last. The duration is still under review, although the presence of software allowing a third-party to monitor your adherence will certainly play a role.

Timeline for CMMC enforcement

Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Katie Arrington, described the following timeline for CMMC:

• Mid 2019 – Working groups and creation of automated assessment tools
• Early 2020 – Begin developing oversight and certifier accreditation program, processes
• Mid 2020 – Test the certification program and revise it
• Mid/late 2020 – Accredit third-party certifiers
• Future – Begin adding CMMC requirement to all new DoD RFPs