DoD Announces New Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense is planning to roll out a new cybersecurity framework for the Defense Industrial Base (DIB) sector. The Cybersercurity Maturity Model Certification (CMMC) will focus on protecting controlled unclassified information (CUI) within the supply chain.

CMMC will contain multiple maturity levels that range from basic cybersecurity hygiene to advanced. The required CMMC level will be identified in RFP sections L and M and used as a go/no go decision.

The first version of the CMMC will be available in January 2020. Industry should begin to see the CMMC requirements in Requests for Information in June 2020.

The CMMC will be a combination of various cybersecurity standards like NIST SP 800-53, NIST SP 800-171, ISO 27001, ISO 27032, AIA NAS9933 and others.

DoD contractors will need to coordinate with an accredited and independent third party commercial certification organization to receive a CMMC audit. The contractor will be awarded certification at the appropriate CMMC level after demonstrating to the assessor and certifier compliance with the CMMC.

One of the most exciting developments is that cybersecurity is now an allowable cost. DoD contractors will be reimbursed for costs associated with meeting the CMMC requirements.

The CMMC is currently being developed and more information will be released in the upcoming months. Remedia Security will be providing a detailed analysis of the draft CMMC and how DoD contractors can prepare for meeting the requirements.