CMMC

Sensitive data and information correlated to the U.S. Department of Defense (DoD) actions are hacked and compromised on a continuous basis and it is a problem for every DoD contractor. The U.S.federal government has put in place a severe and critical update to its cybersecurity model. The latest Cybersecurity Maturity Model Certification (CMMC) puts a huge and necessary focus on data within DoD contractors, subcontractors and supply chain organizations’ networks.

New changes have been made to the cybersecurity requirements DoD (Department of Defense) contractors need to meet for compliance. Version one of the CMMC (Cyber Maturity Model Certification) model was released in January 2020 and all DoD contractors must be certified before they can bid on a government project.

Cybersecurity Maturity Model Certification (CMMC) is the new framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It applies to all companies who are either contractors or subcontractors with the Department of Defense (DoD). It is estimated that there are around 300,000 companies who do business within the Defense Industrial Base (DIB) who will need to comply with the new regulations.

Though the CMMC Advisory Board has been formed, they have yet to train any Third-Party Assessment Organizations to certify anyone, so certification is not yet possible. But, as we will see, you can do a lot to get your proverbial ducks in a row right now. In fact, it will greatly benefit your organization when it comes time to seek certification to start working toward your desired Level of compliance because it is going to be a mammoth undertaking for those who have been fast and loose with documentation and controls for a while.

Cybersecurity Maturity Model Certification (CMMC) is an assessment model designed by the DoD (Department of Defense) to protect sensitive unclassified information. CMMC looks at several security standards used by the military and its defense contractors. Originally passed in 2018, CMMC has been revised several times but its main framework remains the same.

The Cybersecurity Maturity Model Certification (CMMC certification) is designed to simplify compliance for companies handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Department of Defense (DoD) supply chain. For a detailed explanation of what qualifies as CUI, refer to the Organization Index Grouping of Defense.

Currently, Draft v0.7 of the CMMC is available, with the final version (v1.0) expected in January 2020. Companies are encouraged to review v0.7 to begin preparing for the level of DoD CMMC certification required for project bids.

Draft v0.7 is accessible online in its entirety. Below is a concise summary of its contents, along with insights from Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, as presented in her webinar “What Contractors Need to Know About DoD’s CMMC” (July 17, 2019). Note: You must be signed in to view the webinar.

During the webinar with the Professional Services Council, Katie Arrington highlighted that losses from inadequate cybersecurity controls leading to CUI breaches amount to over $600 billion annually. While achieving DoD CMMC certification may incur costs, the long-term savings outweigh these expenses. Additionally, the government considers CMMC certification costs as allowable expenses in its bidding process. The Request For Information (RFI) and Request For Proposal (RFP) Sections L and M outline the required level of CMMC certification, which can determine eligibility for project bids.