The U.S. Department of Defense (DOD) has recently announced the creation of a new Cybersecurity Maturity Model Certification (CMMC) program. The DOD has stated the new CMMC program will provide a cybersecurity framework for enforcement of their Defense Federal Acquisition Regulation Supplement (DFARS) requirements to protect controlled unclassified information (CUI). The current DFARS requirements for cybersecurity invokes the National Institute of Standards and Technology (NIST) Special Procedure (SP) 800-171, which contains 110 information security control requirements. The DFARS requirements for cybersecurity was officially implemented effective December 31, 2017.
However, during the past 18 months the DOD contractor self-assessment approach to compliance with NIST SP-800-171 has not achieved the desired level of enhanced information security for sensitive unclassified information. Clearly, DOD has recognized the need to implement a formal cybersecurity audit program to ensure adequate information security measures are being implemented by defense contractors.
A Step in the Right Direction
The new DOD CMMC program is still in the development phase and is widely expected to be patterned after the well-established Carnegie Mellon University Software Engineering Institute (CMU/SEI) Capability Maturity Model Integration for software development. The new DOD CMMC is anticipated to be a five-level Cybersecurity Maturity Model, using the new revised version of NIST SP-800-171, released on June 19, 2019, as the information security control requirements.
Further, the DOD has announced their plans to require all defense contractors to become compliant with the CMMC program, via passing a formal CMMC audit, which DOD plans to contractually require on all new contracts effective as of June 2020. According to a DOD spokesperson, outside/private sector information security auditors will be used to perform the CMMC audits starting in late 2020 or 2021.
In addition, DOD plans to use a non-profit organization to oversee the new CMMC program and accredit the outside/private sector information security auditors. Presently, DOD is working with both The John Hopkins University Applied Physics Laboratory and CMU/SEI to support the planning of this new program.
Top Ten Contractor Questions
Based upon our recent discussions with government contractors, there are numerous industry concerns about the DOD’s new Cybersecurity Maturity Model Certification (CMMC) program, including the following frequently asked questions: