An Update on the U.S. Government’s New Cybersecurity Maturity Model Certification

If your company works with the U.S. Department of Defense (DoD), you have likely already heard of the U.S. government’s push to create a new set of compiled cybersecurity standards for DoD contractors and subcontractors known as the Cybersecurity Maturity Model Certification (CMMC). In March 2019, the U.S. government began compiling new cybersecurity standards for contractors that do business with the DoD as well as a new certification process to accompany the standards. Here is a quick look at what has happened to date and what the timeline is looking like for implementation.

Facts of CMMC

Led by the Office of the Assistant Secretary of Defense for Acquisition and Sustainment (OASD), the CMMC combines various cybersecurity standards and “best practices” from several existing government regulations such as the Basic Safeguarding of Covered Contractor Information Systems (48 CFR 52.204-21) and the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) in addition to new standards. The goal of CMMC is to reduce the loss or threat of loss of Controlled Unclassified Information (CUI) by third-party contractors and subcontractors working with the DoD in a cost-effective and affordable manner.

The Impact on Business

Any business that wishes to contract or subcontract with the U.S. DoD will be required to achieve at least maturity level 1 of CMMC certification. There are currently five maturity levels outlined in draft version 7.0 of the CMMC, which was published Dec. 6, 2019. The updated version of CMMC, version 1.0, is expected to be published sometime this month, in January 2020, according to the OASD.

In the past, contractors were able to self-verify compliance with the DFARS and NIST SP 800-171, but the CMMC will require certification by a third-party vendor such as Dox which will be licensed to conduct audits, inform risk, and provide certification through the U.S. government. Additionally, contractors will see a flow-down clause in contracts that requires subcontractors to also meet a minimum maturity level of CMMC as well.

What Has Happened So Far?

The OASD hosted a listening tour this summer to hear stakeholder feedback and welcomed visitors to its website at www.acq.osd.mil/cmmc/. Public comment was welcomed for CMMC Rev. 0.4 in September 2019. Based on that public commentary, CMMC revision 0.6 was issued in November 2019 and public comment was once again requested. The latest version, CMMC 0.7 was issued Dec. 6, 2019, to include revisions based on stakeholder and public feedback.

What’s Next for CMMC?

According to the OASD, CMMC revision 1.0 will be released in January 2020. As of the publication of this blog, the updated version of CMMC has not yet been released to the public. Auditor training and certification for third-party auditors such as Dox is set to begin sometime between January and March of 2020. The requirements of CMMC will be included in Requests for Information (RFIs) from contractors and subcontractors starting in June 2020. In the fall of 2020, the CMMC requirements will begin to be included in the Requests for Proposals (RFPs) issued by the U.S. Department of Defense.

Additionally, the U.S. government will have to develop a plan for auditor training and certification of third-party vendors to conduct audits, inform risk, and provide certification of DoD contractors and subcontractors. Dox is committed to becoming trained and licensed to conduct CMMC certifications as soon as the government allows.

CMMC Practices

Practices are better known as controls in the world of cybersecurity. In the existing CMMC version 0.7, there are a total of 173 practices that must be implemented for businesses to achieve a maturity level of 5. This is the highest level of cybersecurity outlined in the CMMC thus far. This could change though as CMMC version 1.0 is issued.

What Now?

While businesses contracting with the U.S. DoD are not yet able to achieve CMMC certification, there are steps they can take to move toward certification. Dox suggests that since CMMC certification is based upon many cybersecurity requirements found in DFARS and NIST SP 800-171, conducting an audit and risk assessment based on these regulations is a great starting point. Most of the practices found within maturity levels 1, 2, and 3 of the CMMC come from NIST SP 800-171, which is currently required by the Defense Federal Acquisition Regulation Supplement (DFARS). If you are already compliant with the requirements of these regulations, then you have a good start toward achieving CMMC certification.

If you still have questions about the CMMC model, certification, and/or requirements, please contact Dox now at (585) 473-7766 or visit Dox online. Be ready to bid on DoD contracts by having your CMMC certification in order early.