The wait is over: Cybersecurity Maturity Model Certification (CMMC) Model v1.0 released
On Jan. 31, the Department of Defense (DOD) released the much-awaited Cybersecurity Maturity Model Certification (CMMC) Model v1.0, its new “unified cybersecurity standard for future DOD acquisitions.”
Under the CMMC Model, all DOD contractors and subcontractors are required to be audited and receive independent certification on their level of cybersecurity maturity. Currently there is no guidance on which defense contractors need to be certified at what level; that will be stipulated in Requests for Information (RFIs) and Requests for Proposals (RFPs). The DOD is expecting a handful of RFIs and RFPs to be issued later in 2020 to have CMMC requirements, and defense contractors interested in pursuing those RFIs/RFPs will need to be audited and certified before the contract award. The DOD expects that all RFPs will contain CMMC requirements by 2025, at which point all DOD contractors and subcontractors will need to demonstrate compliance in order to bid on any DOD work.
To be certified, contractors and subcontractors will need to get audited by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs must be accredited by the CMMC Accreditation Body, a privately run non-profit organization. Accreditation of C3PAOs and the associated training are expected to start in spring 2020. Defense contractors will be able to identify accredited C3PAOs through a marketplace portal that will be maintained by the CMMC Accreditation Body. The C3PAOs’ audits will be based on CMMC Model v1.0.
Version 1.0 includes 17 capability domains with 43 capabilities; five processes across five levels to measure process maturity; and 171 practices across five levels to measure technical capabilities. Contractors and subcontractors will be assessed, across the five levels of maturity, on their implementation of required cybersecurity controls, processes, and practices. In particular, the initiative aims to protect sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while reducing risks of Advanced Persistent Threats (APTs). The diagram below shows the 17 capability domains and the five levels of maturity for practices and processes:
The maturity levels are progressive and cumulative. To be certified at Level 1, a defense contractor must demonstrate compliance with 17 specific security practices; Level 2 requires compliance with 72 practices, including Level 1 practices; Level 3 maturity requires compliance with 130 security practices, including Level 1 and Level 2 controls; organizations seeking Level 4 maturity should comply with 156 security practices, including controls from Levels 1,2, and 3; and Level 5 maturity requires compliance with all 171 practices outlined in the CMMC v1.0 model.
In summary, all defense contractors should review CMMC Model v1.0 and start assessing their environment and determining the gaps between their existing security processes, practices, and controls and what is expected for a certain maturity level.
InsightStart preparing now to earn points on GSA’s Polaris contract opportunityJeff Shapiro, Bhavesh VadhaniLearn what self-assessments, certifications, and other potential requirements to consider now for this upcoming IT services government contracting opportunity.
InsightGOVERNMENT CONTRACTING: DCAA issues guidance on coronavirus-related legislationJeff Shapiro, Caitlin LewisRead considerations for incurred cost audits and forward pricing audits potentially impacted by the CARES Act, the FFCRA, and more.
InsightHome office expenses: Tax and FAR implications for government contractorsJeff Shapiro, Dana Fried, Chase ClarkLearn what costs related to helping government contracting employees work from home may be allowable, deductible, and non-taxable amid COVID-19.
Press ReleaseChristine Williamson named Business Partner of the Year in MCCC's annual awardsCohnReznick LLP, one of the leading advisory, assurance, and tax firms in the United States, announced that Christine Williamson, CPA, PMP, and a lead partner in the firm’s Government Contracting practice, has been named Business Partner of the Year by the Montgomery County Chamber of Commerce (MCCC) in its first-ever virtual 2020 Business Awards program.