This month marks a significant change in the way that the Department of Defense ensures data protection from the threat of cyberattacks. As of this year, Department of Defense (DoD) contractors will be required to obtain Cybersecurity Maturity Model Certification (CMMC) to prove that they are equipped to handle DoD data securely. The introduction of the final version of the CMMC in January 2020 is a major effort by the Department of Defense (DoD) to improve cybersecurity.
To fully protect Controlled Unclassified Information (CUI) and US Federal Contract Information (FCI) from further data breaches, all parties involved in the DoD supply chain will now require Cybersecurity Maturity Model Certification (CMMC). It is believed that the changes will impact around 300,000 contractors that make up the DoD supply chain.
The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) began to put together the CMMC in March 2019. Draft versions of the CMMC were released to the public for feedback in September 2019 and November 2019. Based on the feedback received on the drafts by the industry, there were a number of changes made. The final version of the CMMC, version 1.0, will be released to the public by the end of January 2020.
CMMC builds upon the existing DFARS 252.204-7012 regulations, which DoD contractors were required to comply with on a self-regulatory basis. To further improve cybersecurity and to help protect against data breaches, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC).
Under CMMC regulations, the DoD supply chain will no longer be self-regulated. This month’s introduction of the CMMC requires DoD contractors and subcontractors to be verified to ensure they meet the required cybersecurity standards. To achieve certification, contractors and suppliers will need to receive a CMMC Audit. The CMMC audits will be carried out by an accredited, independent third-party assessor.
DoD contractors will be assessed against five CMMC levels, known as Levels 1–5. Level 1 is described as Basic Cyber Hygiene, Level 2 as Intermediate Cyber Hygiene, Level 3 as Good Cyber Hygiene, Level 4 as Proactive, and Level 5 as Advanced/Progressive.
Contractors must meet both the required CMMC level for their business as well as all levels beneath it. Introducing CMMC Levels 1–5 enables the Department of Defense to ensure that contractors have the appropriate cybersecurity controls in place to match the level of risk related to the information that they handle.
As different levels of suppliers require different levels of security certification, businesses will be responsible for notifying the assessor of the level of certification that they require. The assessor will then verify the level of security certification that the business must meet.
To continue to act as a supplier to the DoD, businesses must reach the appropriate level of security needed for their business requirements. Without achieving the required level of certification, companies cannot be considered for DoD contracts. It is not yet clear how frequently suppliers and contractors will need to be assessed by the third-party auditors.
While the final version of the CMMC will be released to the public in January 2020, the industry will begin to see audits for the CMMC requirements beginning in June 2020. The CMMC requirements will be part of Requests for Information (RFI). In order to bid for new contracts, contractors will need to ensure that they meet the appropriate CMMC level requirements to be considered as a candidate for the contract.
This month’s release of the CMMC means that DoD contractors must familiarize themselves with the CMMC and take steps to comply with the new regulations. Failure to comply could lead to loss of their contracts with the DoD, resulting in potentially significant losses of business earnings for contractors.
To maintain their DoD contracts, it is vital that businesses begin to prepare for the new CMMC regulations as soon as possible. Reviewing current cybersecurity measures included in previous versions of the CMMC and upholding DFARS compliance is a crucial part of the preparation to help ensure that contracts are not lost as a result of not meeting standards.
While some companies have begun working towards compliance, many others still lack preparation. Contractors who lack the resources to comply in-house may opt to consult with a CMMC compliance company who understands the new CMMC regulations can help make sure the contractor is prepared to pass an upcoming CMMC audit.