Cybersecurity Maturity Model Certification (CMMC)
Jul. 18th, 2019
The Pentagon has announced that it is developing a new cybersecurity certification program for Department of Defense contractors. Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, and the DoD are working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity.
CMMC aims to replace the current cybersecurity standard NIST SP 800-171 which falls under the DFARS clause 252.204-7012. CMMC will rely on numerous frameworks, including NIST 800-171, ISO 27001 and FedRAMP, but will serve as the enforcement that is lacking in the current DFARS rule. According to Ms. Arrington, everyone in the supply chain, including subcontractors, will need to be certified to do work with the DoD.
To shore up the supply-chain, the new standard CMMC (Cybersecurity Maturity Model Certification) will have five levels of certification ranging from “Basic Cyber Hygiene” to “State of the Art”. Those levels are as follows:
CMMC Level 2 – Intermediate Cyber Hygiene has 46 additional controls.
CMMC Level 3 – Good Cyber Hygiene has 47 controls in addition to completing the first 2 levels. Making level 3 the equivalent of the 110 controls currently found in NIST SP 800-171.
CMMC Level 4 – Proactive will have 26 more security controls in addition to the 110 found in NIST 800-171.
CMMC Level 5 – Advanced/Progressive/ State-of-the-Art will have 30 more security controls in addition to the 110 found in NIST 800-171.
As it stands, small business contractors, like metal manufacturers and printing companies, are being asked to comply with the same standard (NIST 800-171) as the larger defense primes. This makes it difficult for small businesses to keep up with the effort and costs of implementing that standard. The CMMC will be semi-automated and, more importantly, cost-effective enough so that Small Businesses can achieve the minimum CMMC level of 1, while larger primes will need to certify at a level 3.
– Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber
The current DFARS cybersecurity clause does not require third-party audits. Contractors may self-certify that they have implemented NIST SP 800-171. CMMC will require independent, third-party audits. Ms. Arrington, her team, and the DoD are in the process of selecting a non-profit organization to train and select the companies who will have the authority to audit and certify contractors with one of the five-level of certifications.
ComplyUp is working closely with officials to develop a tool that contractors can use to gain certification with the new standard. The tool will walk contractors through the assessment process providing guidance and allowing third-party auditors with quick, easy access to automate as much of the process as possible. ComplyUp will be first to market a solution for CMMC and will keep the cost low in order to maintain the effort of making implementation of the standard cost-effective.
The DoD plans to release the draft for CMMC by January. We can expect to see the new standard in RFI’s in June 2020 and in RFP’s by Fall of 2020. Contractors are expected to start achieving their certification between the January draft and the June release.