CMMC Model 1.0 Released: DoD’s unified cybersecurity standard for future acquisitions

cmmc v1.0

In a major effort to strengthen the cybersecurity posture of the hundred of thousands of Defense Industrial Base (DIB) subcontractors, the Department of Defense today released final Model Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework.

This version replaces previously released versions 0.4, 0.6, and 0.7, which have been made available to the public via the CMMC official website.

Model 1.0 sets forth the practices required to be in place for defense contractors to be CMMC certified. The CMMC levels are:

Level 1: Safeguard Federal Contract Information (FCI)
Level 2: Serves as a transition step in cybersecurity maturity progression to protect CUI
Level 3: Protect Controlled Unclassified Information (CUI)
Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

What’s next?

The expected process is that a select group of Department of Defense RFIs will contain a CMMC requirement in June 2020.

RFPs containing a CMMC requirement are expected in September 2020.

Contractors are being encouraged to begin CMMC preparations now.

Because all CMMC requirements must be flowed down to subcontractors, prime contractors are being encouraged to adopt a “mentoring” stance to help facilitate implementation of the requirements throughout the DIB supply chain.

How does an organization become CMMC certified?

The CMMC is not a self-attestation model, but rather a third-party certification and compliance model.

An Accrediting Body will be responsible for training and overseeing the assessors.  Only certified CMMC assessors will be permitted to validate CMMC compliance.   At an event sponsored by Holland & Knight in Tysons, Virginia on January 28, 2020, board members of the Accrediting Body expressed that they will be sprinting over the next year to get certified third-party assessors trained and ready.

On the speed of the CMMC roll-out, Katherine “Katie” Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment, remarked, “to you it feels aggressive, to me it feels like a glacier.”

What to watch for

News from the CMMC Accreditation Body on the availability of certified auditors.

A public comment period on proposed amendments to DFARS rule 7012 is expected to be available in Spring of 2020.

Clarifications and updated FAQs from the CMMC website.

Additional resources

Sera-Brynn’s webinar on CMMC draft Version 0.6 for a detailed analysis of Level 1-3 standards maturity processes.

Sera-Brynn’s webinar on CMMC draft Version 0.7 for a detailed analysis of Level 4-5 standards and maturity processes.

CMMC official website: 

CMMC official updates:

The author, Colleen H. Johnson, JD, is a senior legal analyst at Sera-Brynn, a Virginia-based cyber risk management firm.