The wait is over: Cybersecurity Maturity Model Certification (CMMC) Model v1.0 released

On Jan. 31, the Department of Defense (DOD) released the much-awaited Cybersecurity Maturity Model Certification (CMMC) Model v1.0, its new “unified cybersecurity standard for future DOD acquisitions.”

Under the CMMC Model, all DOD contractors and subcontractors are required to be audited and receive independent certification on their level of cybersecurity maturity. Currently there is no guidance on which defense contractors need to be certified at what level; that will be stipulated in Requests for Information (RFIs) and Requests for Proposals (RFPs). The DOD is expecting a handful of RFIs and RFPs to be issued later in 2020 to have CMMC requirements, and defense contractors interested in pursuing those RFIs/RFPs will need to be audited and certified before the contract award. The DOD expects that all RFPs will contain CMMC requirements by 2025, at which point all DOD contractors and subcontractors will need to demonstrate compliance in order to bid on any DOD work. 

To be certified, contractors and subcontractors will need to get audited by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs must be accredited by the CMMC Accreditation Body, a privately run non-profit organization. Accreditation of C3PAOs and the associated training are expected to start in spring 2020. Defense contractors will be able to identify accredited C3PAOs through a marketplace portal that will be maintained by the CMMC Accreditation Body. The C3PAOs’ audits will be based on CMMC Model v1.0.

Version 1.0 includes 17 capability domains with 43 capabilities; five processes across five levels to measure process maturity; and 171 practices across five levels to measure technical capabilities.   Contractors and subcontractors will be assessed, across the five levels of maturity, on their implementation of required cybersecurity controls, processes, and practices. In particular, the initiative aims to protect sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while reducing risks of Advanced Persistent Threats (APTs). The diagram below shows the 17 capability domains and the five levels of maturity for practices and processes:

The maturity levels are progressive and cumulative. To be certified at Level 1, a defense contractor must demonstrate compliance with 17 specific security practices; Level 2 requires compliance with 72 practices, including Level 1 practices; Level 3 maturity requires compliance with 130 security practices, including Level 1 and Level 2 controls; organizations seeking Level 4 maturity should comply with 156 security practices, including controls from Levels 1,2, and 3; and Level 5 maturity requires compliance with all 171 practices outlined in the CMMC v1.0 model. 

In summary, all defense contractors should review CMMC Model v1.0 and start assessing their environment and determining the gaps between their existing security processes, practices, and controls and what is expected for a certain maturity level.