The wait is over: Cybersecurity Maturity Model Certification (CMMC) Model v1.0 released
On Jan. 31, the Department of Defense (DOD) released the much-awaited Cybersecurity Maturity Model Certification (CMMC) Model v1.0, its new “unified cybersecurity standard for future DOD acquisitions.”
Under the CMMC Model, all DOD contractors and subcontractors are required to be audited and receive independent certification on their level of cybersecurity maturity. Currently there is no guidance on which defense contractors need to be certified at what level; that will be stipulated in Requests for Information (RFIs) and Requests for Proposals (RFPs). The DOD is expecting a handful of RFIs and RFPs to be issued later in 2020 to have CMMC requirements, and defense contractors interested in pursuing those RFIs/RFPs will need to be audited and certified before the contract award. The DOD expects that all RFPs will contain CMMC requirements by 2025, at which point all DOD contractors and subcontractors will need to demonstrate compliance in order to bid on any DOD work.
To be certified, contractors and subcontractors will need to get audited by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs must be accredited by the CMMC Accreditation Body, a privately run non-profit organization. Accreditation of C3PAOs and the associated training are expected to start in spring 2020. Defense contractors will be able to identify accredited C3PAOs through a marketplace portal that will be maintained by the CMMC Accreditation Body. The C3PAOs’ audits will be based on CMMC Model v1.0.
Version 1.0 includes 17 capability domains with 43 capabilities; five processes across five levels to measure process maturity; and 171 practices across five levels to measure technical capabilities. Contractors and subcontractors will be assessed, across the five levels of maturity, on their implementation of required cybersecurity controls, processes, and practices. In particular, the initiative aims to protect sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while reducing risks of Advanced Persistent Threats (APTs). The diagram below shows the 17 capability domains and the five levels of maturity for practices and processes:
The maturity levels are progressive and cumulative. To be certified at Level 1, a defense contractor must demonstrate compliance with 17 specific security practices; Level 2 requires compliance with 72 practices, including Level 1 practices; Level 3 maturity requires compliance with 130 security practices, including Level 1 and Level 2 controls; organizations seeking Level 4 maturity should comply with 156 security practices, including controls from Levels 1,2, and 3; and Level 5 maturity requires compliance with all 171 practices outlined in the CMMC v1.0 model.
In summary, all defense contractors should review CMMC Model v1.0 and start assessing their environment and determining the gaps between their existing security processes, practices, and controls and what is expected for a certain maturity level.
InsightFederal contractors should prepare now for a government shutdownRichard MeeneWith the current political climate, anything is possible; including a government shutdown. Federal contractors should be preparing for a shutdown now. Learn more.
Insight2023 GAUGE Report: Lead by ForecastingOur 2023 GAUGE Report includes tips, techniques, and tools to help enable GovCon companies to produce various types of forecasts and benefit from the profound positive impacts.
InsightGovernment Impact: Q3 2023An update on CohnReznick's collaboration with federal, state, and local governments.
InsightGovernment contractor valuation tracker: H1 2023In this latest Government Contractor Valuation tracker, we take a look at key valuation indicators such as government services composite, S&P 500, mergers and acquisitions, and more. Learn more.