- HOW TO GET YOUR -
CYBERSECURITY MATURITY MODEL
THE GREATEST CYBERSECURITY RISK ~ CONTRACTORS
"In the past two years, Pentagon officials have become increasingly concerned that one of their greatest cybersecurity risks lies in the second- and third-tier contractors who work with the Defense Department and the largest defense companies."
Ms. Ellen Lord
DoD Undersecretary for Acquisition and Logistics
Fifth Domain Article, March 25, 2019
CMMC REQUIRED for FY21 DoD CONTRACT AWARDS:
Why CMMC?: Malicious cyber attacks occur daily, costing the economy tens of
billions of dollars every year; they are a threat to the U.S. and global community's economic security.
The Department of Defense (DoD) and its Defense Industrial Base (DIB) are the constant target of certain cyber-bad-actors threatening our national security. The DIB plays a significant role throughout the DoD warfighter supply chain, regularly conducting unclassified DoD-contract business using its information technology enterprise. The loss or cyber-theft of such information is a significant risk to national security and U.S. technical innovations and advantages.
The DoD, working with industry and academia, created the CMMC to help combat cybersecurity threats and risks and to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It is the duty of the companies doing business with DoD (Contractors) to comply with CMMC, else they will lose their ability to work for the DoD.
CMMC Version 1.0: CMMC Version 1.0 was released in January 2020.
FY21 Requirement: Beginning October 2020 Contractors must be CMMC certified to receive a
DoD contract award (does not apply to pre-FY21 contract-award option period awards). A prime Contractor is required to flow-down the appropriate CMMC level requirement to its subcontractor(s). Subcontractors without the required CMMC certification are not eligible to participate.
NOTE: A Plan of Action & Milestones (POA&M) SHALL NOT be accepted in lieu of the CMMC at the time of award.
What Level Do I Need?: DoD intends to introduce CMMC requirements into solicitations on a
gradual basis beginning September 2020, and the required CMMC
certification level shall vary per solicitation.
Prime must possess the CMMC certification.
Subcontractors must possess CMMC certification..
Who Certifies Me?: Only CMMC Accreditation Board (CMMC-AB) certified third-party
assessor organizations (C3PAO) and their CMMC-AB-certified assessors can audit your company for certification.
OBTAINING CMMC CERTIFICATION:
CMMC CERTIFICATION IS NOT YET AVAILABLE (as of 4/1/2020)
The CMMC-AB has not yet finalized the certification and licensing requirements, training, and testing for either C3PAO or Assessors. SoundWay is working with members of the CMMC-AB and its planning committees - our goal: to be the first phase of C3PAO's licensed and Assessors certified.
CONDUCT A PRE-AUDIT: A Contractor should conduct a pre-audit of its information systems to
identify and resolve any compliance failures prior to its formal audit.
CMMC-consultants are available to conduct pre-audits and help a Contractor identify and resolve its compliance failures. CMMC-consultants that are also a C3PAOs cannot provide CMMC consulting services and conduct a formal CMMC audit for/on the same Contractor company.
ENGAGE A C3PAO: A Contractor must engage a C3PAO to conduct its information systems
audit. Only DoD-approved C3PAOs may conduct audits.
DON'T BE FOOLED: Don't be fooled by anyone promising you CMMC certification just yet.
The DoD hasn't approved any C3PAOs as of February 2020.
May - June 2020: DoD Certified C3PAOs available to conduct CMMC audit.
February - June 2020: Certified Third-Party Assessor Organizations trained by DoD.
January 2020: DoD CMMC Version 1.0 is released. Going forward, all RFIs must contain CMMC
September 2019: DoD CMMC releases the CMMC Framework - Draft Version 0.4 for public comment.
The draft described the CMMC Framework as a unified cybersecurity standard intended to build upon existing regulations, policy, and memoranda by adding a verification component to the existing standards for safeguarding Controlled Unclassified Information (CUI) within the DIB.
July 2019: Securing the DoD Supply Chain (based on CMMC Framework Draft Version 0.2) is
presented by HQE Cyber for ASD (A). Research conducted in concert with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) show that the vast majority of the DIB's cyber hygiene practices are inconsistent and they are regularly the victims of low-level cyber attacks. The briefing
May 2019: DoD announces its plans for creating and implement the Cybersecurity Maturity Model
Certification (CMMC); initial efforts began in early 2019. The CMMC concept is the result of, and in response to, a series of high profile DoD information information breaches; causing the DoD to reevaluate its reliance on the Defense Industrial Base's (DIB) self-administered DFARS 252.204-7012 and NIST 800-171 security controls and ability to thwart the increasing and evolving threats, especially from nation-state actors.
November 2018: The DoD released guidance to assist acquisition personnel develop effective
Cybersecurity strategies for acquisitions (solicitations), and to help enhance and simplify protection requirements guidance: Assessing Compliance and Enhancing Protections Required by DFARS Clause DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.