The first official version of the Cybersecurity Maturity Model Certification (CMMC) has been released by the Department of Defense (DoD) Office of the Undersecretary of Defense Acquisition and Sustainment [OUSD(A&S)]. This is a part of an ongoing effort to continually provide more accurate and more effective insight into modern cybersecurity best practices for organizations involved with DOD operation.
That makes the CMMC a valuable resource – but only if you understand it. Do you know what this latest version entails, and what it means for you?
The CMMC is the DOD’s way of certifying their contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain.
This builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DoD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DoD has implemented a basic set of cybersecurity controls through DoD policies and the DFARS. The DFARS rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI). These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”
As a U.S. DoD contractor who collects, stores, or transmits Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance. If you don’t, you can’t bid on DoD contracts, and you may lose the ones you have. The CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.
While Version 1 is largely similar to the previous draft (.07), there are a range of updates that you should be aware of:
Despite the fact that draft version 0.7 had nine processes detailed across the five levels of maturity, CMMC Version 1.0 only has five total. Furthermore, version 1.0 does not offer detail as to how each process is tailored to apply to each individual domain, despite the fact that the previous version stated it would.
Instead, just like with previous versions, the current version only offers generic maturity processes that apply to every domain in the model.
Additional Info & Context For Practices
A useful update in this version, Appendix B provides the following:
The previous draft only detailed this information for levels 1-3.
Another new addition, Appendix E in this version offers a “source mapping” resource, which shows contractors how and when practices from other cybersecurity references and frameworks overlap with CMMC. Whether it’s 48 C.F.R. § 52.204-21 or NIST SP 800-171 Rev 1, CMMC takes a lot of inspiration from extant frameworks.
This Appendix helps to clear up the overlap, noting:
Unfortunately, version 1.0 does not offer detail as to the duration of certification. However, DoD’s Katie Arrington, Chief Information Security Officer for the Assistant Secretary for Defense Acquisition and a key player in the rollout of CMMC, stated in a press briefing on the morning of the release that a company’s certification will be “good” for three years.
If you’re unsure of how to comply with DFARS, NIST, CFR and the CMMC, don’t risk it – work with a skilled and knowledgeable partner like BlueHat Cyber.
Like this article? Check out the following blogs to learn more: