There are several factors for government departments when it comes to selecting contractors, but cyber security is quickly climbing to the top of the list. Especially when the department procuring is the US Department of Defense (DoD).
In the past, contracting authorities would rely on an organization’s self-assessment of its risk posture and compliance, often posting the specific requirements only after the awarding of a contract, at times resulting in misrepresentation of cybersecurity efforts from the awarded contractors. The DOD has now announced the introduction of the Cybersecurity Maturity Model Certification (CMMC), requiring all companies competing for a DoD contract to obtain certification from an accredited, third-party certification organization ‘pre-award’ in order to be considered. This new requirement from the DOD will ensure that contractors are implementing the appropriate levels of practices and processes necessary to ensure basic cyber hygiene and to make certain that the controlled unclassified information that will be stored by these contractors remain protected.
What are the CMMC requirements?
The DoD has been working with John Hopkins University Applied Physics Laboratory (APL), Carnegie Mellon University Software Engineering Institute (SEI), and others to construct one unified standard for cybersecurity.
The CMMC model framework breaks down cyber security standards into 17 Domains, consisting of various Capabilities. Within these Capabilities are various Practices and Processes. Potential contractors will be assessed according to these criteria, and they will be assigned a certification level between 1 -5, denoting a degree of cybersecurity maturity.
Does CMMC apply solely to prime contractors, or lower level suppliers too?
According to the DoD, all subcontractors will be required to have CMMC certification, regardless of size or function. It is thought that all subcontractors will be required to meet a minimum of a CMMC Level 2 (second lowest level of certification). In other words, if you wish to apply for any DoD contract, or to become a subcontractor to a major DoD supplier, you will be required to secure CMMC certification in advance.
How will certification be granted?
Each request for proposals (RFP) from the DoD will now explicitly state the level of CMMC certification required. Each applicant will need to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. The training, quality and administration of third-party assessment organizations will be overseen by the CMMC Accreditation Body. Certification levels will be made public.
When will CMMC become relevant to DoD suppliers?
The CMMC requirements will begin to appear as part of DoD Requests for information in June 2020.
How will CMMC impact my business?
This will partly depend on the size of your company. Unless utilizing a technological solution to help prepare for the audit and certification, large companies will likely need to dedicate significant staffing resources to ensure cybersecurity compliance and ongoing standards, especially when the companies depend on a flow of subcontractors.
Smaller companies should also expect to increase their cyber security budgets, but on a smaller scale. The DoD has made clear that it aims for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC certification levels.