DOD issues cyber standards for contractors
On Jan 31, the Pentagon released the official version 1.0 Cybersecurity Maturity Model Certification, requiring any company doing business with the Department of Defense meet "at least a basic level of cybersecurity standards."
The Defense Department has issued the long-awaited cybersecurity standards that all must meet.
On Jan 31, the Pentagon released the official version 1.0 Cybersecurity Maturity Model Certification. It requires any company that does business with the Department of Defense, primes as well as subcontractors, to meet to meet "at least a basic level of cybersecurity standards" when they respond to requests for proposals.
CMMC is informed by the National Institute of Standards and Technology's guidance on protecting controlled unclassified information (CUI) in non-federal systems and on security and privacy controls for federal systems. It outlines five levels of certification addressing both cybersecurity practices and processes.
Level 1 covers basic cyber hygiene, Level 2 would involve certifying cybersecurity processes as well, to ensure a Defense contractor is "effectively documenting, managing, reviewing and optimizing its practices across its entire enterprise," Katie Arrington, DOD's chief information security officer for acquisition, said in the Jan. 31 press briefing. Level 5 requires a vendor to standardize cybersecurity practices across the organization and focuses on the protection of CUI from advanced persistent threats.
DOD plans to release 10 requests for information and 10 RFPs this year that will require CMMC certification when the contract is awarded, Arrington said. By fiscal year 2026, all new DOD contracts will contain CMMC requirements, according to Under Secretary of Defense for Acquisition and Sustainment Ellen Lord. The CMMC will be a "complicated rollout," she said, and the five-year timeline was "realistic" before making it mandatory in all contracts.
Some of those complications involve the ability of smaller companies to meet the standards without undue burden. DOD has repeatedly stressed that small and medium-sized businesses were a priority in rolling out CMMC.
"One of our challenges is how to bring companies that aren't familiar with defense work in," Lord said when asked about how companies unfamiliar with defense contracts would be able to prepare for the shift. "We just created early this year, what we call a placemat, with step-by-step, how you work with industry."
Kevin Fahey, DOD's deputy acquisition chief, told reporters during the briefing that prime contractors could have subcontractors work within their infrastructure to ensure cybersecurity.
Another complication concerns the third-party auditors conducting assessments. While the initiative's success relies heavily on the CMMC accrediting body and how it shapes training for the assessors, those assessors have not been selected and no one has yet been "designated as qualified," Lord said. Officially dubbed CMMC third-party assessment organizations (C3PAOs), the assessors will be charged with certifying contracting companies, and are trained by the newly stood up CMMC Accrediting Body.
DOD is currently drafting a memorandum of understanding to establish rules, roles and responsibilities between it and the accrediting body. Lord said that memo will address conflicts of interest such as ensuring auditors won't be able to review their own company.
Once up and running, companies will be able to apply for certification through a marketplace portal run by the accrediting body, Arrington said. The CMMC certification will be good for three years; with it, companies will be able to bid on contracts across DOD and the military services.
The DOD acquisition officials said they would share the guidance as it is being developed.
A longer version of this article was first posted to FCW, a sibling site to GCN.