June 11, 2020
As if there isn’t already a lot going on for manufacturers today, defense contractors need to add another major initiative to their list: getting ready for the Cybersecurity Maturity Model Certification (CMMC).
The CMMC is a unified standard for implementing cybersecurity across companies in the defense supply chain that protects sensitive information located on contractors' information systems.
Beginning in Fall 2020, defense contractors will be unable to bid on new contracts if they are not compliant with the Cybersecurity Maturity Model Certification (CMMC) standard. CMMC is expected to be incorporated into DFARS clause 252.204-7012, which means that this new contract requirement flows down to subcontractors in all tiers without alteration.
Unfortunately, the CMMC DFARS rulemaking process is not complete, and there are no firm timelines for when assessors will be ready to begin scheduling assessments. What is expected, however, is that forward-thinking contractors that are prepared as soon as licensed assessors are available will be eligible to bid on more contracts and avoid potential assessment backlogs.
We’ve identified five steps to help defense contractors position themselves for greater success to achieve certification. This week, we look at where contractors can start—identifying their target maturity level.
Step 1: Identify target maturity level
The CMMC framework organizes cybersecurity processes, capabilities, and practices into a set of 17 capability domains mapped across five maturity levels. These five levels represent a progression in cybersecurity capabilities, introducing and characterizing additional processes and practices required to achieve certification at each level.
Level 1 focuses on “basic cyber hygiene” practices such as regularly changing passwords and using anti-virus software. Level 2 is a transitional step to Level 3. Level 3 requires a significant increase from 72 to 130 practices, and the incorporation of organizational policy in order to protect Controlled Unclassified Information (CUI).
Levels 4 and 5 are intended for very critical technology companies working on the most sensitive programs. These levels require active cyber defense processes and practices against the tactics, techniques, and procedures used by Advanced Persistent Threats.
To determine the target maturity level, a contractor needs to review the current contracts and programs they’d like to bid on in the future. Both current contractors and those new to DoD programs should review the RFIs and RFPs expected in Fall 2020 to understand what maturity levels are being required for typical program roles. CMMC has already been mentioned in DoD SBIR 2020 BAAs and the CIO-SP4 draft RFP, with the official solicitation expected Dec 2020.
A quicker way for contractors to determine their necessary maturity level is to confirm if they currently work on projects requiring ITAR compliance. If they do, those contractors would need to target Level 3 of the CMMC standard, at a minimum, since ITAR data is considered CUI. Contractors will need to carefully evaluate if they receive, handle, or generate other CUI and where that information is stored. More information about identifying CUI is maintained by NARA.