In an effort to mitigate the cybersecurity risk currently present across all sectors of the Defense Industrial Base (DIB), the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is rolling out the Cybersecurity Maturity Model Certification (CMMC). In our previous blog, my colleague Mike Skinner provided an overview of the CMMC and its included standards. In this blog series, we will discuss the current state of CMMC, what’s to come, and how your organization can begin the readiness process.
In January 2020 the OUSD(A&S) released CMMC v1.0. The document and its appendices lay out the overall structure of the CMMC and its requirements for each level of the certification. CMMC v1.0 combines multiple existing frameworks and standards to establish a set of processes and practices that will increase the cybersecurity maturity level of DOD contractors and sub-contractors. There are five levels of both practices and processes that must be met. These levels are cumulative meaning the contractor must meet all requirements for their established level and for all previous levels. Unlike other cybersecurity frameworks required in the past, the CMMC will require third-party assessment to the level required. However, neither the OUSD(A&S) nor the CMMC Accreditation Board (CMMC A.B.) have approved any third-party commercial certification organizations or certified assessors.
The OUSD(A&S) announced the initial rollout will start with 10 large contracts in 2020, with a full rollout expected by 2026.
CMMC Readiness: What can you do now?
With full CMMC rollout expected by 2026 and the waiting for certified assessors, many organizations may feel there is reason to delay CMMC efforts all together. There is, however, steps that can be taken now to better prepare your organization to meet the certification requirements.
The overall objective of the CMMC is to move DOD contractors toward an ongoing cybersecurity maturity model. This means organizations are continuously putting policies and practices in place that will create a wholistic and resilient cybersecurity posture. Even if an organization does not expect the need to have a formal CMMC assessment in 2020, they can still take the readiness steps necessary to create a culture and environment that, when audited, can stand up against the requirements laid out in CMMC v1.0. Any organization that decides to become ready now, will not only improve the ease in which they renew their current DOD contracts, but will also create a competitive advantage for new DOD contracts in light of the upcomingCMMC requirement.