A change is coming for government contractors who provide goods and services to the U.S. Department of Defense. In 2020, contractors will be required to comply with the recently announced Cybersecurity Maturity Model Certification (CMMC) process.
CMMC stands for Cybersecurity Maturity Model Certification. It is the latest security framework mandated by the Department of Defense (DoD) for any contractor that sells into the DoD. It outlines a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for RFPs and vendor selection.
In 2015 the DoD identified specific cyber requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012). DFARS required DoD contractors to adopt cybersecurity processes and standards created by the National Institute of Standards and Technology (NIST). All government contractors needed to represent that they had implemented the requirements of the NIST SP 800-171 by the end 2017. The framework, NIST SP 800-171, was part of a broad government initiative to protect the DoD supply chain from cyber threats and other security risks.
The framework required contractors to “self-attest” that they had met the requirements of NIST 800-171. It became apparent that this did not go far enough and CMMC was introduced to take the NIST 800-171 framework, add new levels of controls and levels of security maturity, and now require contractors to be officially certified. The intent is to bring even higher levels of assurance to protect DoD assets. The framework defines cybersecurity practices at the highest level by domain. Each domain is then segmented by capabilities, and capabilities identify contractor achievements that ensure cybersecurity requirements are met within each domain. DoD contractors will need to demonstrate compliance with required capabilities by showing adherence to practices and processes that have been mapped across the five maturity levels of CMMC.
The CMMC Accreditation Body (AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs). Companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
While CMMC has been rolled out, organizations are still awaiting the list of C3PAOs. As such for an organization to work in the current environment they must meet the NIST SP 800-171 requirements and in anticipation of future contracts make sure they are prepared for CMMC certification.
The challenge resides in how to meet both requirements. While NIST SP 800-171 will be a subset of CMMC, how can an organization go about preparing for both without adding extra layers of cost and work? Ideally, they should work in a fashion that incorporates both frameworks and allows for proper reporting on each.
Working with providers who understand how to leverage these requirements will allow an organization to make sure they are ready now and for future contracts. Utilizing software that harmonizes both frameworks and can provide the requisite reports and information to meet the current NIST 800-171 and future CMMC certification requirements will help in assuring ongoing and future business.