The Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) is coming in 2020. What does that mean? While the FAR and DFARS already contain provisions requiring contractors to implement cybersecurity measures when dealing with unclassified information (FAR 52.204-21; DFARS 252.204-7012), this certification program will be a new level of enforcing those regulations. And while this new certification is currently limited to DoD, there is widespread speculation that it will eventually apply to all other Federal agencies.
Per the website of the Office of the Under Secretary of Defense for Acquisition & Sustainment, the “CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced”. Building upon the existing DFARS regulations, CMMC will be adding a verification component, is intended to be cost-effective for small businesses, and will utilize independent 3rd parties to conduct audits.
The CMMC is an effort to combine several existing standards (NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others) into one unified standard for cybersecurity. While the official language in the cybersecurity regulations sounds complicated, a lot of it is actually fairly simple. Some of it is as basic as locking your facility, keeping track of who has keys, requiring individual logins and passwords, shredding paper records, and using and updating your antivirus software.
Implementing this cybersecurity compliance means doing 3 things:
- Implement a system security plan based on NIST 800-171
- Develop and execute a Plan of Actions and Milestones – how you’re going to address deficiencies and achieve compliance
- Develop and implement a system for reporting any cyber incidents
These standards basically require contractors to implement the cybersecurity standards outlined by the National Institute of Standards and Technology (NIST) publication SP 800-171 for dealing with Controlled Unclassified Information, or CUI. What is CUI? CUI is a term for all unclassified information that needs to be safeguarded, or “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls”. A registry of CUI can be found at https://www.archives.gov/cui.
To become certified, your business will need to coordinate with an approved third-party certification organization to schedule an assessment. You’ll select the level of certification required by your business (from basic to advanced), and you’ll be awarded certification at the appropriate level based on demonstrating your capabilities and organizational maturity.
The initial framework for CMMC will be available in January and the CMMC requirements will start appearing in Requests for Information (ROI) in June 2020.
Stay tuned for more cybersecurity information in the New Year!