What is the DoD Cybersecurity Maturity Model Certification (CMMC)?

What is the DoD Cybersecurity Maturity Model Certification (CMMC)?


In June 2019, Dawn Greenman of Johns Hopkins University and Liz Hogan of E-N Computers sat in on a briefing. The Department of Defense announced that it is introducing a new cybersecurity standard for contractors -- the Cybersecurity Maturity Model Certification (CMMC). With cyberattacks and cyber-warfare in the news week after week, it’s no surprise that the Department of Defense is ready to take a harder line on enforcing cybersecurity standards for defense contractors handling sensitive information. The aim is to protect the supply chain and the Defense Industrial Base (DIB) from attack by foreign states or rogue actors.

If your business depends on defense contracts or subcontract work, then you’ll want to make sure that you understand the new regulations, and that you’re prepared when they take effect -- which is expected sometime in 2020.

What are the Current Cybersecurity Standards for Defense Contractors?

Cybersecurity requirements for contractors are already spelled out in the Defense Federal Acquisition Regulation Supplement (DFARS), in DFARS Clause 252.204-7012. This regulation requires that contractors handling unclassified but sensitive information follow the security controls outlined in NIST Special Publication 800-171. This includes things like authentication, access control, configuration management, and other basic cybersecurity requirements for systems that deal with controlled unclassified information (CUI).

Currently, contractors may self-certify that they are complying with DFARS 7012 -- there are no third-party auditing requirements in place. However, as you can imagine, the vast majority of contractors fail to comply with the rule.

Therefore, the DoD announced the creation of the Cybersecurity Maturity Model Certification to address these gaps in compliance and enforcement of cybersecurity regulations.

How Will the CMMC Work?

While not all of the details of CMMC have been made public yet, it is expected to be largely based on the same NIST SP 800-171 security controls in use today. In that case, contractors will be assigned a score from 1 to 5 in each of the 14 control “families” outlined in 800-171, based on how many of the controls in that family have been implemented.

Additionally, separate scores will be issued for “sophistication” and “institutionalization” of these security practices. This means that it’s not enough to just have secure policies in theory -- your organization needs to actually follow them consistently in order to achieve a high CMMC score.

How Will CMMC Affect My Business?

In the coming months, DoD will provide more information on the proposed rollout schedule for CMMC. However, it’s a good idea to start taking steps now to get ready for it.
Each contract will specify what CMMC level is required for the contract. And it’s likely that these requirements will trickle down to subcontractors as well. So, the sooner you prepare for CMMC, and the higher the CMMC score you can achieve, the bigger the advantage you’ll have over the competition when the time comes.

But what steps can you take now to get ready for CMMC? Next week’s Tech Thursday article will cover a few cybersecurity improvements you can make to get ready for CMMC ASAP.

Need more help with improving your company’s cybersecurity posture? E-N Computers is a full-service IT Managed Service Provider. We help businesses in Washington, D.C, Charlottesville and the Shenandoah Valley to secure their systems and comply with government regulations. Contact us today!