The Cybersecurity Maturity Model Certification (CMMC) Draft Version 0.7 is live and available here.
Version 0.7 includes Level 4-5 practices and modifies some maturity processes and Level 1-3 practices.
This draft is another step closer to the final version — CMMC 1.0.
The CMMC will be a new contractual requirement for all DoD contractors. The new certification requirement is intended to push defense contractors to strengthen their cybersecurity programs and standards. It will not be a self-attestation model, but rather a third-party certification and compliance model.
More in-depth analysis of the 190-page document will follow.
In addition to CMMC Version 0.7, the DoD has released the following clarification:
- The CMMC level of certification required for each procurement will be specified in the RFI and RFP upon release. Contractors will be required to meet the certification level at time of award. The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors. Unless a higher level is specified, all contractors and sub-contractors must meet at a minimum CMMC Level 1.
- Phase 1 of CMMC only applies to the contractor’s networks and does not apply to their products.
See the “Updates” tab of the CMMC website.
Draft Version 0.4 was released for public comment in September 2019.
Draft Version 0.6 was released on Friday, November 8, 2019.
Draft Version 0.7, dated December 6, 2019, was posted on the CMMC website on December 13, 2019.
Version 1.0 of the CMMC framework is expected to be available in January 2020. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.
For more information on the Cybersecurity Maturity Model Certification program, the latest draft, and news on the formation of a CMMC Accreditation Body, visit the DoD’s official CMMC website.
ICYMI… Sera-Brynn’s webinar on CMMC version 0.6 can be found here.
The author, Colleen H. Johnson, JD, is a senior legal analyst at Sera-Brynn, a Virginia-based cyber risk management firm.