Author(s)
CMMC – The New DoD CyberSecurity Standard 

Cyber Maturity Model Certification Draft Version .6 Released Friday, November 8th, 2019 

As promised, Office of the Under Secretary of Defense for Acquisition & Sustainment released draft version 0.6 of the CMMC the first week of November.

PDF - DRAFT CMMC Draft Version 0.6 

Draft version 0.6 updates the technical practices for levels 1-3 and will be releasing the updated technical practices for levels 4-5 in the next public release. One of the key points to note for version 0.6 is in Appendix B. It provides Level one clarification with examples to help, not guide. Version 0.4 Model and Version 0.6 are contextually different. If you compare the two models, 0.4 had basic requirements that were not completed. Now in version 0.6, there is clarification and some requirements were moved from level 1 to level 2. 

Level 3 begins policy-driven requirements. These requirements are based on NIST SP 800-171. We will find out more in the next release. 

Stay tuned for more updates.


 

CMMC UPDATES 10/30/19

Katie Arrington, Chief Information Security Officer at the Office of the Under Secretary of Defense for Acquisition and Sustainment, just shared insights on the progress of CMMC.  Here are some of the key points mentioned.

ALL COMPANIES IN THE SUPPLY CHAIN WILL NEED SOME LEVEL OF CMMC

The thought of not needing a CyberSecurity model in your business is now a thought of the past.  No matter the size of the company or involvement, CMMC will mandate that your organization reaches a level within the CMMC. At a minimum, you will be required to maintain at least a basic CyberSecurity hygiene.

FULL IMPLEMENTATION PREDICTED BY 2025

Although this seems to be a distant time frame, starting your CMMC journey needs to be a priority.  Finding what level best describes the needs of your organization and creating avenues to reach this level is a priority. After all, this is not just a checklist item. These are steps that will secure and protect your role within the supply chain.

RE-CERTIFICATION PERIODS

Level 1 – 3 Years

Level 2 – 3 Years

Level 3 – 2 Years

Level 4 – Annually

Level 5 – Annually

CMMC Levels

 

 

 

 

 

 

 

 

 

 

 

 

Upcoming Revisions

Revision 0.6 of the CMMC will launch the first week of November 2019. Another version will drop in late November that will be 99% complete.  This will most likely be the last update before the final release in January 2020.

Link to the Slide deck is HERE.

------------------------------------------------------------------------------------------------------

(Original Blog)

The Department of Defense (DoD)has issued a draft Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) for government contractors who handle sensitive data to make comments until 5pm on September 25th, 2019.  CMMC Rev 0.4 is an effort to secure the supply chain from the largest contractors to the smallest and will be the new cybersecurity standard in 2020.  Contractors now have a glimpse into the cybersecurity standards they will need to meet if they want to work on contracts that handle controlled but unclassified information (CUI) next year. 

CMMC Rev 0.4 has a five-level system that combines guidance currently in place from the National Institute of Standards and Technology (NIST) with new input from the private sector and academia, including Johns Hopkins Applied Physics Lab and Carnegie Mellon Software Engineering Institute. The new details shed light on the third-party certification system, which will be managed by a nonprofit company in the coming months.  

Slide 9 of the recently released presentation from the Department of Defense (DoD), found HERE, explains the levels of certification and descriptions. 

CMMC Slide 9

Each level describes the maturity level expected to be for contract placement. It is assumed that contracts will be available to companies based on their maturity level. There will be a certain number of contracts released based on these levels of maturity. Level 1 and 2 are your basic cybersecurity maturity. These levels are achievable by small businesses with limited resilience against exfiltration and malicious actions.  

Levels 3-5 are to be more rigorous by requiring compliance with all NIST 800-171 controls.  

The model itself is still being revised. It is anticipated to be reduced in size by down selecting, prioritizing, and consolidating capabilities.  

The Office of the Under Secretary of Defense for Acquisition & Sustainment is asking for your comments and suggestions by answering the following question: 

  1. What do you recommend moving within the model? 

  1. Which elements provide the highest value to your organization? 

  1. Which practices would you move or cross-reference between levels? 

  1. What recommendations do you have to clarify the processes? 

They are also asking you to fill out their Comment Matrix with further suggestions to add or delete from the model.  

Once they have received comments from the public, which is open until September 25th, they plan to adjust the model with the intent to add additional controls. You can view their synopsis in the below chart.  

CMMC Rev 0.4 will be adding 230 total practices into its certification model.   

 

CMMC Practices

 

 Main Takeaways from CMMC Rev 0.4 

  • All companies doing business with the DOD must utilize the CMMC and be certified.  

  • DoD migrating from only utilizing NIST SP 800-171 standard to adding a security maturity model referred to CMMC in 2020. 

  • All DoD contractors & subcontractors will receive a cybersecurity maturity certification score between 1 & 5, with 5 being the highest. 

  • The higher your score the more contract opportunities become available. 

  • CMMC Version 1.0 to be released in January 2020. 

  • By the fall of 2020 requests for information (RFIs) and request for proposal (RFPs) will begin to include CMMC. 

  • Cybersecurity is now an “allowable cost.” 

  • Despite best intentions, companies are more likely to overrate than underrate their performance against the NIST SP 800-171 security controls when they self-assess and attest to the results.  

  • Assessment of cyber maturity or cyber posture cannot be a one-time event. Regular assessment and security monitoring are imperative.  

  • Insufficient understanding of individual controls by the assessor, the implementer, or both  

  • SP 800-171 is necessary, but not enough. Continuous processes must augment the practices reflected in the controls.  

  • External audits (Self-attestation is out, external 3rd party certification is in) of processes and practices. 

  • Produce more thorough, consistent, and accurate results.  

  • Which in turn drives stronger security and improved safeguarding of CUI throughout the DoD contractor supply chain. 

 

InfusionPoints wants to make sure our clients and potential clients are always kept up to date. We are excited about the new model to roll out. We will be following this new model very closely. Keep an eye out for our next blog and webinar for the next revision of the CMMC. 

 

References: 

Office of the Under Secretary of Defense for Acquisitions & Sustainment 
Cybersecurity Maturity Model Certification:  https://www.acq.osd.mil/cmmc/draft.html 

Draft Model: https://www.acq.osd.mil/cmmc/docs/cmmc-draft-model-30aug19.pdf 

CMMC Briefing: https://www.acq.osd.mil/cmmc/docs/cmmc-overview-brief-30aug19.pdf 

 

News Articles: 

https://desiredoutcomesllc.com/2019/08/03/cybersecurity-maturity-model-certification-cmmc-everything-you-need-to-know-for-2020/ 

https://www.fedscoop.com/dod-contractors-cybersecurity-standards-draft/ 

 

 

Let InfusionPoints assist you with your CyberSecurity needs today!

Contact Us