The DoD is releasing more information about the upcoming CMMC standard. At the Department of the Navy Gold Coast Small Business Procurement Event in San Diego, more details emerged about the forthcoming Cybersecurity Maturity Model Certification (CMMC) which will be replacing the current DFARS 7012 compliance self-attestation.
OCD Tech Senior Manager Nick DeLena attended the event last week.
Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition, ASD(A), for Cybersecurity, held the first of what is expected to be a “listening tour” on the emerging CMMC framework.
There will be five certification tiers which will correspond to the level of cybersecurity sophistication the DoD contractor is expected to have.
- CMMC Level 1 corresponds to “basic cyber hygiene.”
- CMMC Level 2 corresponds to “intermediate cyber level hygiene.”
- CMMC Level 3 corresponds to “good cyber hygiene.”
- CMMC Level 4 corresponds to “proactive.”
- CMMC Level 5 corresponds to “advanced and progressive [security].”
The more advanced control requirements in the draft NIST SP 800-171B will comprise part of the conditions for CMMC Levels 4 and 5.
The CMMC level required for prime and subcontractors will be specified in RFP sections L &M in DoD contracts and will be considered a “go/no-go decision,” meaning compliance will be both enforced and mandatory for contract award.
Further detail was given on the framework itself, that it will not only incorporate the existing NIST SP 800-171 rev1 standard, but also DIB SCC TF WG Top 10, AIA NAS 9933, UK Cyber Essentials, AUS Essential Eight, and others. The CMMC is meant to be a unifying standard which may in the future see application beyond the Department of Defense to organizations currently doing business with any federal agency.
If you are a DoD prime or subcontractor wondering how you’ll be able to find a CMMC certifier, the DoD will maintain a registry and marketplace of approved firms. Strict independence rules, as seen in the FedRAMP program with third-party assessors, is expected as well. Certifying firms “cannot be problem solvers” according to Arrington, so companies will not be able to hire one firm to both implement the requirements and certify them to a CMMC level.
CMMC 1.0 is expected to be released in January 2020 alongside training programs for certifiers. Prime and subcontractors can expect to see the CMMC in RFPs starting in the fall of 2020.
OCD Tech, the IT Audit & Security division of O’Connor & Drew, is staying abreast of the developments to continue to provide key compliance services to the DoD prime and subcontractor community. Keep in touch with us to stay current.
