Over 300,000 companies will now be required to comply with the CMMC… are you ready?
If you are in the technology or government contracting industry, you are constantly inundated with new acronyms. Well, the DoD has now released a new acronym that should definitely be on your radar. CMMC, short for Cybersecurity Maturity Model Certification, will be a new cybersecurity ranking system for companies who wish to bid on contracts with the DoD.
Why does this affect you? Because, over 300,000 companies will now be required to comply with the CMMC in order to be eligible for contracts with any branch of the DoD. Each contract will require a specific maturity level, to be outlined in RFP sections L&M.
As opposed to other security frameworks, this will not operate as a “checklist” but more as a holistic way for companies to gauge their cybersecurity from a more critical-thinking viewpoint. A specific level of maturity will be required in order to compete for DOD contracts, which means that only companies with the specified maturity level will have the option to bid in the first place, all others need not apply!
According to the DoD, the process for complying with these new standards will be an allowable cost – meaning the cost can be billed back to the government — which shows how much they value the security of the companies they do business with.
The CMMC consists of five levels, ranging from basic hygiene to state-of-the-art practices, and these levels are directly based on NIST SP 800-171 requirements and controls. CMMC levels 1, 2, and 3 directly map to the 800-171 requirements, meaning that by the time your company achieves Level 3 certification, you have satisfied all 110 of the NIST controls. Levels 4 and 5 will be based on the NIST SP 800-171B, which has yet to be finalized and fully rolled out.
Companies that handle covered defense information have been required to follow 800-171 since the beginning of 2018. While they may have been able to passively disregard 800-171 until now, adherence to these controls is no longer an option if they want to do business with DoD. We will soon see a massive uptick in adoption of these controls due to the emphasis DoD is applying in the form of mandates.
The DoD has described their approach to the CMMC as “crawl-walk-run,” and hope to begin certifying third-party assessment firms by January of 2020, and officially introduce the process in June 2020. While this seems to be an aggressive approach — jog-run-sprint, perhaps — it is certainly something that a huge portion of industry will have to pay attention to, and quickly.
With all of this, there are still a number of open questions, such as:
- What is the scope of the audits?
- What constitutes compliance?
- What are the specific reporting and artifact requirements?
- Is the planned roll out timeframe reasonable?
We plan to address these and other issues and questions in future blog posts as more information becomes available.