The wait is over: Cybersecurity Maturity Model Certification (CMMC) Model v1.0 released
On Jan. 31, the Department of Defense (DOD) released the much-awaited Cybersecurity Maturity Model Certification (CMMC) Model v1.0, its new “unified cybersecurity standard for future DOD acquisitions.”
Under the CMMC Model, all DOD contractors and subcontractors are required to be audited and receive independent certification on their level of cybersecurity maturity. Currently there is no guidance on which defense contractors need to be certified at what level; that will be stipulated in Requests for Information (RFIs) and Requests for Proposals (RFPs). The DOD is expecting a handful of RFIs and RFPs to be issued later in 2020 to have CMMC requirements, and defense contractors interested in pursuing those RFIs/RFPs will need to be audited and certified before the contract award. The DOD expects that all RFPs will contain CMMC requirements by 2025, at which point all DOD contractors and subcontractors will need to demonstrate compliance in order to bid on any DOD work.
To be certified, contractors and subcontractors will need to get audited by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs must be accredited by the CMMC Accreditation Body, a privately run non-profit organization. Accreditation of C3PAOs and the associated training are expected to start in spring 2020. Defense contractors will be able to identify accredited C3PAOs through a marketplace portal that will be maintained by the CMMC Accreditation Body. The C3PAOs’ audits will be based on CMMC Model v1.0.
Version 1.0 includes 17 capability domains with 43 capabilities; five processes across five levels to measure process maturity; and 171 practices across five levels to measure technical capabilities. Contractors and subcontractors will be assessed, across the five levels of maturity, on their implementation of required cybersecurity controls, processes, and practices. In particular, the initiative aims to protect sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while reducing risks of Advanced Persistent Threats (APTs). The diagram below shows the 17 capability domains and the five levels of maturity for practices and processes:
The maturity levels are progressive and cumulative. To be certified at Level 1, a defense contractor must demonstrate compliance with 17 specific security practices; Level 2 requires compliance with 72 practices, including Level 1 practices; Level 3 maturity requires compliance with 130 security practices, including Level 1 and Level 2 controls; organizations seeking Level 4 maturity should comply with 156 security practices, including controls from Levels 1,2, and 3; and Level 5 maturity requires compliance with all 171 practices outlined in the CMMC v1.0 model.
In summary, all defense contractors should review CMMC Model v1.0 and start assessing their environment and determining the gaps between their existing security processes, practices, and controls and what is expected for a certain maturity level.
InsightCybersecurity Maturity Model Certification (CMMC): A road map to complianceYou know you need Cybersecurity Maturity Model Certification (CMMC) to qualify for Defense Department contracts, but where to begin? Use our tool to get started.
InsightGOVERNMENT CONTRACTING: Effects of multistate teleworking arrangements on state taxationLance E. Rothenberg, John IannottiGovernment contractors with employees working in different states due to COVID-19 may face implications for nexus, apportionment, and withholding. Read more.
InsightNavigating government funding compliance for life sciences companies: Optimize your indirect rateKristen Soles, Robert GutierrezIn order to maximize cost recovery and profitability, government grantees should develop indirect rates based on their organizational structure. Learn more.
Insight2020 GAUGE Report: Industry roadmap of benchmarks and trends for government contractorsExplore CohnReznick and Unanet’s annual insights into GovCon benchmarks and best practices, with special focus on technology and on the impacts of COVID-19.