The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors. It is named the “Cybersecurity Maturity Model Certification” (CMMC).
Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.
The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule. Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.
However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.
According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.
Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification. The levels will range from basic cyber hygiene to “State-of-the-Art.” DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.
This is a fundamental change to how defense contracts are awarded today.
Audits Will Be Required
The current DFARS cybersecurity clause does not require third-party audits. Contractors may self-certify that they have implemented NIST SP 800-171.
Reportedly, the CMMC will require independent, third-party audits.
At a May 23, 2019 conference at Georgetown University Law Center in Washington, DC, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, U.S. Department of Defense, spoke on the CMMC program. Ms. Arrington remarked that every kind of businesses doing business with the DoD will need a third-party audit under the new system.
This audit requirement will be another fundamental change to the current acquisition rules.
On June 13, 2019, the Professional Services Council in Arlington, Virginia is presenting an event on this topic. Ms. Arrington is scheduled to speak on the CMMC. The Hon. Kevin Fahey, Assistant Secretary of Defense for Acquisition, Office of the Under Secretary of Acquisition and Sustainment, U.S. Department of Defense, will speak on the Pentagon’s perspective on acquisitions.
More information on the CMMC is expected to be released in the upcoming months. Sera-Brynn will provide its analysis of the draft CMMC when it is released.
The author, Colleen H. Johnson, JD, is a senior legal analyst at Sera-Brynn, a Virginia-based cyber risk management firm.