Recently, the Department of Defense (DoD) announced that a new cybersecurity standard is in development. It is being formed in conjunction with a new certification for defense contractors: the Cybersecurity Maturity Model Certification (CMMC).
The goal of the CMMC is to address cybersecurity deficiencies within the Defense Industrial Base (DIB) and to enhance supply chain security. While a draft of the CMMC has not yet been released, it is believed that the certification will be based on NIST SP 800-171, particularly DFARS Clause 252.204-7012, which outlines 110 security controls that defense contractors handling sensitive, unclassified information are required to implement.
CMMC is also expected to function as an enforcement mechanism, something that is currently lacking in the DFARS clause. DoD contracts will have new requirements associated with CMMC, specifying which of the five expected levels of certification will be mandatory to be awarded the contract.
If you want to learn more about what the CMMC will include, here’s what you need to know.
Third-Party Audits Required
Today, contractors are allowed to self-certify that NIST SP 800-171 has been implemented properly. However, a report discovered that many contractors failed to meet the DFARS Clause 252.204-7012 requirements, and some didn’t even have the required knowledge or means to adhere to the regulation.
The CMMC is expected to go further, making an independent, third-party audit a requirement. This is a fundamental change to the core process and will require contractors to take additional steps before having access to DoD contracts with CMMC requirements.
Essentially, contractors will have to undergo evaluations to ensure that various technical controls are in place. Additionally, reviews of documentation and policies are expected to be part of the assessments. This provides the assessor with a holistic view of the contractor’s capabilities, especially since compliant doesn’t equal secure, and vice versa.
At the conclusion of the evaluation, an organization will receive a score between 1 and 5. Those who receive a 5 are viewed as being the most secure and will be eligible for the highest number of contracts, as contractors can attempt to secure a contract at levels that are equal to or lower than their assigned score.
Skilled Teams Will Be Necessary
A hurdle many contractors will face involves IT personnel. Businesses will likely need a strong IT team to ensure the CMMC requirements are met and properly maintained.
Small contractor organizations may not have available personnel to handle the transition to CMMC. Without bringing the right IT specialists on staff, the ability for a contractor to secure contracts in the future may diminish greatly.
Estimated Timeline
At this point, CMMC is in a relatively early stage of development. However, by January 2020, the creation of a certifier accreditation program should be underway, with the goal of being able to begin the accreditation process by June 2020. Once the first certifiers are accredited during the second half of 2020, contractor evaluations will start.
While information about CMMC is limited, drafts will be released as they come available, giving contractors critical insight into the new approach. If you’d like to know more about CMMC, the staff at The Squires Group can help. Contact us with your questions today and see how our expertise can benefit you.
