The Department of Defense (DoD) has released the final version of its Cybersecurity Maturity Model Certification (CMMC), which aims to certify DoD contractors’ cybersecurity practices and bolster supply chain security.
At a press conference today, Undersecretary of Defense Ellen Lord, Assistant Secretary of Defense for Acquisition Kevin Fahey, and Chief Information Security Officer for Acquisition Katie Arrington spoke about the importance of CMMC Version 1.0. Undersecretary Lord said that while today marks an important milestone, there’s still plenty of work to be done.
Lord offered that one of her biggest concerns with implementing CMMC was the impact on small and medium-sized businesses.
“We need small and medium businesses in our defense industrial base and we need to retain them,” Lord said. “We know that the adversary looks at our most vulnerable link . . . usually six, seven, or eight levels down in the supply chain.” Lord emphasized the importance of innovation coming from small and medium-sized businesses, and that there are several ideas being discussed on how to cost effectively accredit those businesses.
Moving forward, DoD will focus on the remaining CMMC timeline, selecting third-party vendors, rulemaking, and completing a memorandum of understanding with a newly established CMMC accrediting body. The accrediting body was established earlier in the month and made up of 13 self-appointed members from the military industrial base, cybersecurity community, and academia.
“It is made up of unbiased parties that will oversee the training, quality, and administration of the CMMC third-party assessment organizations (C3PAOs),” Lord said of the accrediting body.
Arrington said the accrediting body will have an informational website available in March or early April.
CMMC standards will be required in selected requests for information (RFI) in June 2020, followed by corresponding request for proposals (RFP) in September 2020 at the time of contract award. Completion of a new Defense Acquisition Regulation and a new Defense Federal Acquisition Regulation is expected in late spring or early summer.
Arrington spoke about some of the specifics of CMMC including the Maturity Model Process Progression levels which include: Performed, Documented, Managed, Reviewed, and Optimizing. Arrington emphasized that current contracts will not have CMMC in them, and she said she expects it to take at least five years for the CMMC to fully implement as current contracts begin to expire over that timeframe.
“It was critically important for us to engage and receive feedback from all key stakeholders throughout the process so we could build the best model possible,” Arrington said. “Their feedback – plus thousands of public comments – received between September and December 2019 helped earlier iterations of the draft CMMC models.”
Zscaler’s Vice President for Federal Andrew Schnabel provided some perspective on the CMMC stating: “Moving away from self-reported security certifications, and toward a tiered system will ensure that industry and defense agencies are more tightly aligned. This is a step in the right direction to reduce risk and ensure reliable certification of industry solutions that have comprehensive security fit to protect defense agencies’ systems and sensitive data. Industry should work to provide RFI’s for solutions that provide consistent and comprehensive security across traditional data centers, cloud, and mobile users.”
The Professional Services Council offered that: “This new DoD standard addresses cybersecurity vulnerabilities in the defense industrial base and throughout the supply chain. This standard incorporates relevant control frameworks, security solutions, and mission systems development frameworks. It will affect how companies compete in the defense marketplace and work with DoD to deliver on contracts.”