The current Department of Defense (DoD) cybersecurity rule, reflected in DFARS 252.204-7012, requires compliance with the 110 security controls mandated in the National Institute of Science and Technology (NIST) Special Publication 800-171. However, this clause lacks an enforcement mechanism, a deficiency that will soon be remedied. DoD recently announced it is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins Applied Physics Laboratory to develop a new certification standard, the “Cybersecurity Maturity Model Certification” (CMMC). The CMMC will be a comprehensive standard for cybersecurity presumably exceeding the current NIST requirements. To ensure the standards remain up-to-date, DoD will outsource maintenance to a third party.
The CMMC will consist of five levels, ranging from “basic hygiene” to “state of the art.” The standard will also include a tool that independent third-parties can use to review and certify contractor cybersecurity systems and supply chains. DoD plans to engage a non-profit organization to operate as the CMMC Accreditation Body, training and certifying independent CMMC Third-Party Assessment Organizations. The CMMC is expected to be ready by January 2020. Certification testing should start soon afterward. By September 2020, DoD RFPs will include the required cybersecurity certification level for that contract which will be a “pass-fail” requirement. Contractors whose cybersecurity has not been certified at the required level will not be awarded the contract.
DoD contractors should closely monitor this initiative, especially in regards to the certification level likely to be assigned to the type of work they do. DoD contractors that fail to prepare for the certification requirement could be in for an unpleasant surprise in September 2020. The Office of the Under Secretary of Defense for Acquisition and Sustainment has a website that provides information on the proposed CMMC.