The DoD is releasing more information about the upcoming CMMC standard. At the Department of the Navy Gold Coast Small Business Procurement Event in San Diego, more details emerged about the forthcoming Cybersecurity Maturity Model Certification (CMMC) which will be replacing the current DFARS 7012 compliance self-attestation.

OCD Tech Senior Manager Nick DeLena attended the event last week.

Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition, ASD(A), for Cybersecurity, held the first of what is expected to be a "listening tour" on the emerging CMMC framework.

There will be five certification tiers which will correspondto the level of cybersecurity sophistication the DoD contractor is expected tohave.

• CMMC Level 1 corresponds to "basic cyberhygiene."
• CMMC Level 2 corresponds to "intermediatecyber level hygiene."
• CMMC Level 3 corresponds to "good cyberhygiene."
• CMMC Level 4 corresponds to"proactive."
• CMMC Level 5 corresponds to "advanced andprogressive [security]."

The more advanced control requirements in the draft NIST SP800-171B will comprise part of the conditions for CMMC Levels 4 and 5.

The CMMC level required for prime and subcontractors will bespecified in RFP sections L &M in DoD contracts and will be considered a"go/no-go decision," meaning compliance will be both enforced andmandatory for contract award.

Further detail was given on the framework itself, that itwill not only incorporate the existing NIST SP 800-171 rev1 standard, but alsoDIB SCC TF WG Top 10, AIA NAS 9933, UK Cyber Essentials, AUS Essential Eight,and others. The CMMC is meant to be a unifying standard which may in the futuresee application beyond the Department of Defense to organizations currentlydoing business with any federal agency.

If you are a DoD prime or subcontractor wondering how you'llbe able to find a CMMC certifier, the DoD will maintain a registry andmarketplace of approved firms. Strict independence rules, as seen in theFedRAMP program with third-party assessors, is expected as well. Certifyingfirms "cannot be problem solvers" according to Arrington, socompanies will not be able to hire one firm to both implement the requirementsand certify them to a CMMC level.

CMMC 1.0 is expected to be released in January 2020alongside training programs for certifiers. Prime and subcontractors can expectto see the CMMC in RFPs starting in the fall of 2020.

OCD Tech, the IT Audit & Security division of O'Connor& Drew, is staying abreast of the developments to continue to provide keycompliance services to the DoD prime and subcontractor community. Keep in touchwith us to stay current.

[wpforms id="10103" title="false" description="false"]