The U.S. Department of Defense has announced pilot contracts that will not include requirements from the Cybersecurity Maturity Model Certification (CMMC) program. Pilot nominations are currently under review for military service and defense agencies, which will include roles in the U.S. Navy, U.S. Air Force and Missile Defense Agency.
The Pentagon’s CMMC program was buoyed by an interim rule that became effective on November 30th, 2020. It is estimated that around 1,500 companies currently in the defense industrial base will now have to be certified under CMMC. This mandate will be active during the fiscal year 2021 and be required for anyone who wants to compete for pilot contracts.
Mid-sized programs which require contractors to process/store Controlled Unclassified Information (CUI)—related to Level 3 CMMC—will be the focus of the first wave of implementation. Appropriate CMMC requirements will flow down to subcontractors. Projected growth is 75 contracts for 2022 and then 475 contracts by 2025.
There are many implications of the DoD’s Cybersecurity Maturity Model Certification. It is vital that anyone pursuing a DoD contract fully understand the existing standards.
What Are CMMC Certifications?
CMMC Certifications are part of the U.S. Government’s cybersecurity standards. The CMMC model has five levels, which are cumulative. CMMC includes more cybersecurity practices than the requirements in NIST SP 800-171 and other, previously used protocol/criteria.
The five maturity levels of the CMMC are:
- Level One—Processes: Performed and Basic Cyber Hygiene (protection of FCI).
- Level Two—Processes: Documented and Intermediate Cyber Hygiene (NIST SP 800-171 plus additional practices).
- Level Three—Processes: Managed and Good Cyber Hygiene (NIST SP 800-171, DFARS clause 252.204-7012 plus additional practices, including incident reports).
- Level Four—Processes: Reviewed and Proactive (protecting CUI from APTs and additional best practices in cybersecurity).
- Level Five—Processes: Optimizing and Advanced/Proactive (sophisticated cybersecurity capabilities).
To obtain higher levels, lower ones must be met.
The CMMC is accredited by an independent organization and complies to the ISO/IEC 17011.
Companies can become Authorized or Accredited after a CMMC assessment. CMMC certificates are issued from the accrediting body and submitted to the DoD.
Why Do CMMC Certifications Matter?
Version one of the CMMC standards were released at the end of January 2020. Throughout the course of this past year, certification processes have been enacted. The National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 are part of levels one to three CMMC requirements. These standards will create a global framework for defense contracts.
Cybersecurity threats are immanent and more sophisticated than ever. The level of security that can be offered by a company seeking a defense contract must be verifiable. Setting these standards in place and providing a path to certification is the surest way to generalize and enforce best practice.
What Companies Hold CMMC Certifications?
The Pentagon experts 7,500 companies to become CMMC certified by 2021. The defense industrial base is widely interconnected. By the year 2026, all solicitations by companies who want to do business with the Pentagon will be expected to include CMMC standards.
Defense Industrial Base (DIB) Contractors and companies who want to do business with defense agencies or the Pentagon will have to obtain CMMC certifications.
Attila Security for Government Agencies
Cyberattacks threaten the intellectual property and sensitive data and pose a real problem for national security. Malicious actors see the vulnerabilities of the companies that make up the DIB. Existing regulations are insufficient to shore up the defenses of the many small companies that are a part of this network. The purpose of CMMC is to improve cybersecurity along the supply chain, locking down and fully protecting sensitive data. Attaining and maintaining this certification will ensure that businesses in contract with the DoD have clear, consistent and effective security practices.
Is your business seeking a CMMC certification? Read our white paper about how to prepare for the new CMMC framework.