DoD just released the final version of its new contractor cybersecurity requirements, the Cybersecurity Maturity Model Certification (CMMC); I've blogged about the new requirements in this post in November.
Under the Cybersecurity Maturity Model Certification (CMMC), all contractors doing business with DoD will need to get certified as CMMC compliant to bid on contracts.
With this significant policy shift, its critical industry stakeholders stay informed and prepare for certification. How will CMMC impact defense contractors?
Here are five must-reads for those interested in getting a head start:
Defense Department: CMMC FAQs
For those new to CMMC, visiting the official CMMC website from the Office of the Undersecretary of Defense for Acquisition and Sustainment - leading the CMMC effort for DoD - is a great place to start.
In addition to official announcements and the latest drafts, the site includes a helpful Frequently Asked Questions page. The questions and answers are straightforward and, most importantly, come straight from the government office responsible for developing the policy.
Illustration: CMMC Seal
This article by Federal Computer Week's Lauren C. Williams covers industry concerns regarding CMMC implementation that are causing many contractors to wait with their compliance efforts. Questions remain about the auditing process and how DoD will determine the certification level required to bid on a particular contract.
Companies want to make sure the auditing process does not vary based on individual auditors and are waiting to see a framework of metrics from the accreditation body overseeing the process.
There is also still confusion among stakeholders regarding how DoD will determine the level of certification required to bid on a particular contract. Higher certification levels mean smaller businesses will have to up their investment in security to meet the requirements or risk being left out of the bidding process.
The bottom line: Contractors should start working on their security plans.
A Watershed Moment in Cybersecurity (Lexology)
An in-depth analysis of the CMMC with an eye toward the future, the Lexology article A Watershed Moment in Cybersecurity for Government Contractors, written by Morrison & Foerster LLP attorneys Tina D. Reynolds and Rachael Plymale, examines how CMMC will likely impact the industry.
For those new to the world of CMMC, this piece emphasizes the gravity of the coming changes. Contractors who don’t meet certification requirements will not only lose out on individual contracts. They may end up exiting the defense industry entirely.
Counting Down to 2020 (National Law Review)
For those organizations already familiar with DoD’s existing contractor cybersecurity guidance, this overview by Erin L. Felix and Gregory S. Jacobs breaks down how CMMC builds upon and adds to those requirements.
For those organizations already familiar with DoD’s existing contractor cybersecurity guidance, this overview breaks down how CMMC builds upon and adds to those requirements.
Contractors are currently only required to “self-certify” they meet cybersecurity standards laid out in the DFARS and NIST SP 800-171. Entities already aligned with the NIST framework are ahead of the game and well-positioned for CMMC compliance.
The most noticeable difference for contractors under the CMMC will be the requirement to be assessed by a third party that will confirm their cybersecurity posture. No longer can contractors get by with telling DoD they meet the requirements without providing any validation.
DoD to contractors: Your cybersecurity is not good enough (CMMC Audit Preparation)
This community-driven resource serves entities interested in becoming auditors for the program.
While most of the interest in CMMC is driven by the contractors who will need certification, there is a parallel effort underway to recruit and organize third-party organizations responsible for doing the certifying.
The site is unique for its collaborative nature, inviting stakeholders to share information and discuss relevant issues.
Even if you are not on the auditing side of things, it’s a useful resource for getting a clearer picture of who will be reviewing your organization’s cybersecurity posture.