DoD Shares Details in Developing Its Cybersecurity Maturity Model Certification

By Andrew Victor and Robert Nichols

The Department of Defense Office of the Under Secretary of Acquisition and Sustainment has shared new details on its new cybersecurity certification standard for defense contractors, the Cybersecurity Maturity Model Certification (CMMC).

To recap, DoD’s current cybersecurity rule, DFARS 252.204-7012, requires contractors to comply with the requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  NIST SP 800-171 sets forth requirements for, among other things, system access, user identification and authorization, and incident response.  The NIST standard, however, does not require any kind of certification.  DoD is designing the CMMC to address this deficiency in the existing cybersecurity framework, particularly with respect to Controlled Unclassified Information disclosed to contractors.

The CMMC will combine NIST SP 800-171 and other cybersecurity standards—including the Aerospace Industries Association’s National Aerospace Standard 9933 and the United Kingdom’s Cyber Essentials Scheme—into a unified cybersecurity standard.  Importantly, CMMC will require contractors to certify their compliance with a third-party auditor.  Contractors can obtain different levels of certification—ranging from Basic to Advanced/Progressive—based on their level of sophistication.  Solicitations will specify the required certification level on a contract-by-contract basis.  DoD hopes that the CMMC will be self-automated and cost-effective so that even small businesses can achieve Level 1 Basic certification.

At an industry day event on July 29th, DoD released a short presentation summarizing where the CMMC stands in development.  Here are our takeaways for government contractors:

• DoD continues to believe that the vast majority of defense industrial base companies lack good cyber hygiene and instead have an ad hoc approach that permits low-level cyberattacks to succeed. Companies should consider investing in improving their cyber hygiene now to capture a competitive advantage once the CMMC requirements become “baked” into solicitations.
• DoD is currently working with the Johns Hopkins University Applied Physics Laboratory and the Carnegie Mellon University Software Engineering Institute to develop a unified standard for cybersecurity. The standards that will comprise the CMMC are not finalized and will be subject to revision over the coming months.
• In the midst of an iterative process, DoD intends to issue draft standards and obtain industry feedback, culminating in publicly released standard by January 2020.
• Contractors can expect to see the CMMC requirements to begin appearing in solicitations next summer. Change is imminent and contractors must be proactive in order to ensure their success.