CMMC Part 1: Cybersecurity Standards and Contractor Certifications - Preliminary Analysis

The DOD (Department of Defense) or more specifically, The Office of the Assistant Secretary of Defense for Acquisition began the process of creating the Cybersecurity Maturity Model (CMMC) in March 2019.

The CMMC has been under development through a collaborative effort with Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University Software Engineering Institute, Defense Industrial Base Sector Coordinating Council (DIB SCC), and the Office of Small Business Programs. Together they have issued a long-awaited cybersecurity standard in draft form for contractors who work with the Pentagon’s sensitive data. In addition, support from industry associations such as the National Defense Industrial Association (NDIA), the Aerospace Industries Association (AIA), and the Professional Services Council (PSC) has been contributed as well to provide input from industry.

 

Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) is now live.

CMMCwebsiteThe CMMC 0.4 cybersecurity standards provides contractors with a new “roadmap” for cybersecurity standards they will need to adopt and be certified with if they want to seek out DOD contracts that handle or process controlled but unclassified information. Ultimately, the CMMC effort is designed to secure the DOD‘s large and complicated cyber and IT supply chains from the largest prime contractors down to the smallest sub-contractors .

The new CMMC framework addresses 18 domains, described as “key sets of capabilities for cybersecurity” that were outlined in a slide deck distributed by the Office of the Assistant Secretary of Defense for Acquisition. See link below and image of OSD Website, (with embedded link). These domains include areas like access control, governance, incident response, and risk assessment.

Each domain is then assessed based on practices or “activities performed at each level” as well as the processes engaged “at the level of maturity” for each practice within an organization. By separating out these two criteria into separate categories, DOD contractors (prime and sub’s) can demonstrate that they have institutionalized these “processes,” even if they don’t exactly match or score points on any the “practices” at the time of assessment. The result is a five-tier scoring model, each tied to a certain level of cybersecurity assurance. Both practices and processes are reviewed and evaluated across five basic levels, (from basic through advanced and optimized accordingly).

 

Current Status of Draft Standard:

The CMMC model is currently in its fourth draft, which the department released for public comment on Wednesday Sept 4, 2019. DOD expects to be working on the sixth draft by November 2019 and plans to issue the first release of the final version in January. The defense contracting community will have some additional time to review and comment on these new rules through. Defense offices who publish RFP’s will be expected to include certification requirements in their requests for information by June 2020 and in all official solicitations by the fall of 2020.

The draft represents an early stage of development of the new standards and the DOD is requesting feedback, according to information published on the model at an informational website located here: (https://www.acq.osd.mil/cmmc/draft.html)