CMMC – The New DoD CyberSecurity Standard 

The Department of Defense (DoD)has issued a draft Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) for government contractors who handle sensitive data to make comments until 5pm on September 25th, 2019.  CMMC Rev 0.4 is an effort to secure the supply chain from the largest contractors to the smallest and will be the new cybersecurity standard in 2020.  Contractors now have a glimpse into the cybersecurity standards they will need to meet if they want to work on contracts that handle controlled but unclassified information (CUI) next year. 

CMMC Rev 0.4 has a five-level system that combines guidance currently in place from the National Institute of Standards and Technology (NIST) with new input from the private sector and academia, including Johns Hopkins Applied Physics Lab and Carnegie Mellon Software Engineering Institute. The new details shed light on the third-party certification system, which will be managed by a nonprofit company in the coming months.  

Slide 9 of the recently released presentation from the Department of Defense (DoD), found HERE, explains the levels of certification and descriptions. 

CMMC Slide 9

Each level describes the maturity level expected to be for contract placement. Its assumed that contracts will be available to companies based on their maturity level. There will be a certain number of contracts released based on these levels of maturity. Level 1 and 2 are your basic cybersecurity maturity. These levels are achievable by small business with limited resilience against exfiltration and malicious actions.  

Levels 3-5 are to be more rigorous by requiring compliance with all NIST 800-171 controls.  

The model itself is still being revised. Its anticipated to be reduced in size by down selecting, prioritizing and consolidating capabilities.  

The Office of the Under Secretary of Defense for Acquisition & Sustainment is asking for your comments and suggestions by answering the following question: 

  1. What do you recommend moving within the model? 

  1. Which elements provide the highest value to your organization? 

  1. Which practices would you move or cross-reference between levels? 

  1. What recommendations do you have to clarify the processes? 

They are also asking you to fill out their Comment Matrix with further suggestions to add or delete from the model.  

Once they have received comments from the public, which is open until September 25th, they plan to adjust the model with the intent to add additional controls. You can view their synopsis in the below chart.  

CMMC Rev 0.4 will be adding 230 total practices into its certification model.   

 

CMMC Practices

 

 Main Takeaways from CMMC Rev 0.4 

  • All companies doing business with the DOD must utilize the CMMC and be certified.  

  • DoD migrating from only utilizing NIST SP 800-171 standard to adding a security maturity mode referred to CMMC in 2020. 

  • All DoD contractors & subcontractors will receive a cybersecurity maturity certification score between 1 & 5, with 5 being the highest. 

  • The higher your score the more contract opportunities become available. 

  • CMMC Version 1.0 to be released in January 2020. 

  • By the fall of 2020 requests for information (RFIs) and request for proposal (RFPs) will begin to include CMMC. 

  • Cybersecurity is now an “allowable cost”. 

  • Despite best intentions, companies are more likely to overrate than underrate their performance against the NIST SP 800-171 security controls when they self-assess and attest to the results.  

  • Assessment of cyber maturity or cyber posture cannot be a one-time event. Regular assessment and security monitoring are imperative.  

  • Insufficient understanding of individual controls by the assessor, the implementer, or both  

  • SP 800-171 is necessary, but not enough. Continuous processes must augment the practices reflected in the controls.  

  • External audits (Self-attestation is out, external 3rd party certification is in) of processes and practices. 

  • Produce more thorough, consistent, and accurate results.  

  • Which in turn drives stronger security and improved safeguarding of CUI throughout the DoD contractor supply chain. 

 

InfusionPoints wants to make sure our clients and potential clients are always kept up to date. We are excited for the new model to roll out. We will be following this new model very closely. Keep an eye out for out next blog and webinar for the next revision of the CMMC. 

 

References: 

Office of the Under Secretary of Defense for Acquisitions & Sustainment 
Cybersecurity Maturity Model Certification:  https://www.acq.osd.mil/cmmc/draft.html 

Draft Model: https://www.acq.osd.mil/cmmc/docs/cmmc-draft-model-30aug19.pdf 

CMMC Briefing: https://www.acq.osd.mil/cmmc/docs/cmmc-overview-brief-30aug19.pdf 

 

News Articles: 

https://desiredoutcomesllc.com/2019/08/03/cybersecurity-maturity-model-certification-cmmc-everything-you-need-to-know-for-2020/ 

https://www.fedscoop.com/dod-contractors-cybersecurity-standards-draft/ 

Let InfusionPoints assist you with your CyberSecurity needs today!

Contact Us