Earlier this year, the Department of Defense (DoD) announced the development and enforcement of new cyber security compliance requirements to be eligible for DoD contracts.
Because the upcoming requirements affect so many companies (large and small) as well as prime and subcontractors, many organizations are looking for answers.
Here are the top 5 things you need to know now about the upcoming Cybersecurity Maturity Model Certification (CMMC).
1. What is the CMMC?
CMMC is the acronym for “Cybersecurity Maturity Model Certification” and will be a new requirement for existing DoD contractors. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.
CMMC is a capability based maturity model. It will define a layered approach to cybersecurity maturity. When the model is finalized, it will leverage multiple sources, compliance frameworks, best practices, regulations and threat profiles.
The CMMC is expected to combine various cybersecurity control standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. Unlike NIST SP 800-171, which measures a contractor’s compliance with a specified set of controls, the CMMC will measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
- CMMC is a new compliance framework that all DoD contractors and subcontractors will need to adhere to.
- The framework is not yet solidified, but it will likely be an amalgamation of existing well known frameworks.
2. Who is affected and who is requiring it?
The Department of Defense is going to require all its prime and subcontractors to be CMMC compliant. Currently, estimates indicate that this will affect 300,000 companies with a high likelihood that most of those affected are small and medium sized businesses.
- In summary – If you are a prime or subcontractor to the DoD, you are affected.
3. How will the CMMC assessment work?
Currently, the DOD has said that the CMMC assessment will be conducted by a credentialed independent assessor. The assessors will be 3rd party organizations and will need to be accredited to perform the CMMC review. The assessment will be an evidence-based and on-site evaluation of your company’s capabilities and processes. However, because the CMMC is a layered model, it is likely that not every organization needs to implement every control.
- Assessments will be conducted by accredited 3rd parties.
- Assessments will require your organization to prove its compliance by showing evidence you have followed the controls.
- It is likely you may not need to implement every single control.
4. When will this all go into effect?
DoD documents indicate that version 1.0 of the CMMC framework will be available in January 2020. In June 2020, companies responding to DoD Requests for Proposals (RFPs), will need to show their CMMC compliance.
- The CMMC framework should be published by January 2020.
- Companies will need to start showing their CMMC compliance by June 2020.
5. What you can do now to get ready for CMMC?
Even though the CMMC won’t be finalized until January of 2020, companies can still begin the process to become compliant. At New Context, we recognize that meeting security and compliance requirements can be costly, slow down development and hinders innovation. The way to tackle this problem is to understand what you can do now to build best practices which are applicable to a broad set of compliance requirements.
- Determine a list of what compliance or regulatory frameworks which may apply to your business.
- Assess the business’ ability to address compliance requirements and determine how much it costs to meet those controls.
- Make a roadmap to meet compliance requirements in a way which is sustainable to your company.
Additional CMMC Resources
The Office of the Under Secretary of Defense for Acquisition and Sustainment’s website provides additional background on the proposed CMMC, including a list of FAQs.