The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) established a new website in June dedicated to the development of the Cybersecurity Maturity Model Certification (CMMC) in recognition that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain, according to website information.
In this endeavor, the Defense Department aims to secure CUI that resides on vendor websites. All companies doing business with the DoD will need to obtain CMMC, including subcontractors.
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. The framework seeks to certify a company's compliance with federal cybersecurity regulations in accordance with Defense Federal Acquisition Regulation Supplement DFARS 252.204-7012.
OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification.
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. As required in the CMMC framework, the intent is for certified independent third-party organizations to conduct audits and inform areas of risk.
Companies will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule an CMMC assessment. Companies will specify the level of the certification requested based on its specific business requirements. Companies will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.
The Defense Department is planning a series of engagements across the United States to solicit feedback from the Defense Industrial Base sector. For more information, visit https://www.acq.osd.mil/cmmc/listening-tour.html.
Visit the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) new Cybersecurity Maturity Model Certification website: https://www.acq.osd.mil/cmmc/index.html.