As you may be aware, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31st, 2020. We have received many inquiries about what this means, and what we are currently recommending to our clients in the Defense Industrial Base (DIB).
Here is what we know as of today, including some key takeaways from the v1.0 release and the press release that followed:
- CMMC requires all companies doing business with the DoD to partner with a Certified Third-Party Assessment Organization (C3PAO) to perform an audit of the company’s cybersecurity practices and processes
- This differs from the current DFARS model of self-attestation
- A board has been established to identify, train, and accredit C3PAO’s. At this time, there are no accredited auditors. Beware of any firm that claims they can provide you the “audit/certification.”
- CMMC will not be retroactive, and therefore will not apply to existing contracts containing the DFARS clause
- CMMC will be rolled out in stages, appearing in new contracts beginning in Fiscal Year 2021
- Certification will be required upon time of reward, not at time of bid
- DoD’s goal is to have the requirement fully implemented by Fiscal Year 2026
- CMMC has five levels of maturity that organizations will be assessed against which range from basic cyber hygiene to advanced
- The CMMC 1.0 model contains 17 domains, 14 of which draw “practices” (controls) from the same NIST 800-171 control families we have been assessing against under current DFARS
- The remaining three domains have additional practices drawn from other control frameworks (e.g. CIS Critical Security Controls, NIST 800-53, NIST CSF)
- The CMMC model eliminates the allowance of Plans of Actions & Milestones (PoA&M’s) for identified weaknesses
While the CMMC Accreditation Body has been formed and board members elected, they have yet to define the criteria and process for training and accrediting C3PAO’s. OCD Tech aims to pursue and receive this accreditation once the process is formalized, but there are steps that can be taken in the interim, and we are currently helping clients move towards CMMC readiness.
So, what does all this mean for your organization? If you have CUI, are currently doing or intend to do business within the DIB, the best proactive course of action is to engage in a CMMC readiness exercise. Rely on OCD Tech’s expertise to identify your system boundaries, develop a system security plan, and assist in identifying and closing PoA&M’s based on the current CMMC 1.0 release for your targeted level of maturity.
Timing is key. CMMC requirements will be included in DoD RFI’s as early as June of 2020; the same CMMC requirements will start appearing within DoD RFP’s in September of 2020 so there is limited time to act. Conducting a CMMC readiness exercise comes with a dual-benefit – current compliance along with preparedness for bidding on future contracts. This will help your organization maintain a competitive edge in the DIB market.
It is also very important to note that DoD contractors and members of the DIB doing business with the DoD are still subject to existing DFARS regulations.
