The DOD released the Cybersecurity Maturity Model Certification (CMMC) Model v1.0 requirements on Friday, January 31, 2020. The CMMC was created to protect controlled unclassified information and respond to the ever-increasing presence of cyber threats and intrusions aimed at the defense industrial base and its supply chains. CMMC combines various cybersecurity standards and maps these best practices and processes to five maturity levels, ranging from basic cyber hygiene to highly advanced practices. Model v1.0 is available here.
The impact of CMMC will be significant, as the requirements are expected to be included in requests for information (RFI) starting in June 2020 and in solicitations in September 2020. The CMMC level of certification required for each procurement will be specified in the RFI and solicitation upon release. The DOD estimates that approximately 300,000 contractors will need to be certified. Contractors will be required to meet the certification level at time of award. All contractors and subcontractors must meet CMMC Level 1 compliance at a minimum.
While the CMMC requirements build upon the NIST 800-171 revision 1 security requirements and other cybersecurity standards and frameworks, key differences include:
- Self-attestations are no longer allowed.
- CMMC requires a third-party assessment organization (3PAO) to audit and certify an organization’s compliance.
- Maturity level requirements are cumulative, and all processes must be implemented and operational to obtain certification.
- Plans of Actions and Milestones (POAMs) will no longer be acceptable, as all requirements must be implemented at time of audit.
DOD contractors should not take these requirements lightly, as lack of certification will render contractors ineligible for award.
For additional information, please contact BRG’s Amit Garg at firstname.lastname@example.org