The first official version of the Cybersecurity Maturity Model Certification (CMMC) has been released by the Department of Defense (DoD) Office of the Undersecretary of Defense Acquisition and Sustainment [OUSD(A&S)]. This is a part of an ongoing effort to continually provide more accurate and more effective insight into modern cybersecurity best practices for organizations involved with DOD operation.
That makes the CMMC a valuable resource – but only if you understand it. Do you know what this latest version entails, and what it means for you?
The CMMC is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain.
This builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DoD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DoD has implemented a basic set of cybersecurity controls through DoD policies and the DFARS. The DFARS rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI). These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”
As a U.S. DoD contractor who collects, stores, or transmits Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance. If you don’t, you can’t bid on DoD contracts, and you may lose the ones you have. The CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.
While Version 1 is largely similar to the previous draft (.07), there are a range of updates that you should be aware of:
The previous draft only detailed this information for levels 1-3.
Unfortunately, version 1.0 does not offer detail as to the duration of certification. However, DoD’s Katie Arrington, Chief Information Security Officer for the Assistant Secretary for Defense Acquisition and a key player in the rollout of CMMC, stated in a press briefing on the morning of the release that a company’s certification will be “good” for three years.
If you’re unsure of how to comply with DFARS, NIST, CFR and the CMMC, don’t risk it – work with a skilled and knowledgeable partner like Data Magic Computer Services.
CLICK HERE for assistance in preparing for your CMMC audit today!