Department of Defense Implements Cybersecurity Maturity Model Certification
On November 30, 2020, the Defense Acquisition Regulations System implemented changes to the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). The CMMC, designed to improve cybersecurity measures for U.S. defense contractors, will require contractors to undergo an outside audit of their security measures.
The CMMC requires certification for almost all defense contractors, though there are five different levels of criteria. Contractors that handle Federal Contract Information need only register at the first CMMC level, while those that handle Controlled Unclassified Information will need to register at the third level. Contractors that handle more classified materials will need to register at the fourth or fifth CMMC levels, though this number is expected to be very small.
The next step in the CMMC process is the establishment of CMMC Third Party Assessment Organizations, which will be established in the coming months by the CMMC Accreditation Body. Before the formal audit process, contractors have been asked to self-certify their current cybersecurity procedures, which may be used in the planned audits.
Advocacy has commented previously on the CMMC, expressing concerns that smaller companies with lower levels of certifications will not be able to compete with larger firms with stronger certifications. Additionally, Advocacy warned that the CMMC might decrease the number of small business defense prime and sub-prime contractors while also adversely impacting the SBIR defense program for small business.
The Pentagon expects the full CMMC process will be established by 2025. In the meantime, the Department of Defense will begin incorporating CMMC requirements into their solicitations for defense contracts.
Advocacy Contact: Major Clark III