Introduction
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program will be a new contractual requirement for all DoD contractors. It will impact the 300,000 firms that make up the defense industrial base. It will not be a self-attestation model, but rather a third-party certification and compliance model.
In 2020, the DoD plans to finalize the CMMC framework and to start implementation with a select group of acquisitions.
Here are some go-to facts and resources to help you prepare.
CMMC Timeline
| September 2019 | CMMC Draft Version 0.4 released |
| November 8, 2019 | CMMC Draft Version 0.6 released |
| November 19, 2019 | CMMC Accreditation Body Industry Day, Arlington, VA* |
| December 13, 2019 | CMMC Draft Version 0.7 released |
| January 30, 2020 | CMMC Version 1.0 released |
| Summer 2020 | Industry should begin to see the CMMC requirements as part of Requests for Information. |
* During the meeting, DoD outlined timeline and expectations and challenged industry to self-organize to form the Accreditation Body to implement the CMMC standard.
Resources
Sera-Brynn’s webinar on CMMC Version 0.6 (including a detailed analysis of the Level 1-3 standards maturity processes) is now available below:
Sera-Brynn’s webinar on CMMC Version 0.7 (including a detailed analysis of Level 4-5 standards and maturity processes) is now available below:
CMMC official website: https://www.acq.osd.mil/cmmc/index.html.
CMMC official updates: https://www.acq.osd.mil/cmmc/updates.html
Slidedeck titled “Securing the DoD Supply Chain: Cybersecurity Maturity Model Certification,” by Ms. Katie Arrington, Chief Information Security Officer for Acquisition (approved for public release Dec. 9, 2019).
The author, Colleen H. Johnson, JD, is a senior legal analyst at Sera-Brynn, a Virginia-based cyber risk management firm.