As of this month, a draft of Version 0.6 (v0.6) of the Cybersecurity Maturity Model Certification (CMMC) has been released to the public by the US Department of Defense (DoD). This version of the new cybersecurity certification program—which requires all companies contracted by the DoD to adhere to outlined cybersecurity regulations—clarifies requirements from past versions of the document.
The improvements included in v0.6 are largely thanks to public feedback on the previous version of the document, v0.4, which was released for public comment in September 2019. Several entities including cybersecurity organizations, DoD contractors, Managed Security Service Providers (MSSPs) weighed in on the document and reported their feedback.
Since then, the DoD has acknowledged that significant changes were made to address public response to the program: “CMMC Version 0.4 was released for public review and comment in early September,” according to the DoD. “Based on this feedback, this version significantly reduces the model size, modifies the practices and processes, and provides clarifications and examples for CMMC Level 1. The document includes CMMC Levels 1-3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B.” Note that, because the DoD is still reviewing public comments, v0.6 does not include Levels 4–5.’
According to SysArc, an MSSP who helps DoD contractors meet CMMC cybersecurity requirements and has submitted its own recommendations for the CMMC, v0.6 has cleared up many confusions from past iterations. They add that the document is now much more concise and accessible for DoD contractors across many industries.
Tim Brennan, CEO of SysArc, says, “We’re very pleased with the DoD making the drafts of CMMC available for public scrutiny. It gives companies like us who have ‘boots on the ground’ a chance to let the DoD know about the current challenges facing DoD contractors with implementing cybersecurity requirements. Input from the public will go a long way in making the implementation of CMMC a success. We’re happy to be a part of it.”
The official release of v1.0 of the CMMC is expected to occur in January 2020, and the CMMC Accreditation organization will be selected soon to begin planning for auditor training and certification of DoD contractors. Auditors will likely begin certifying contractor systems beginning in the latter half of the year.