DOD will Require Cybersecurity Certification Starting Fall 2020

It’s not too soon to start thinking about those New Year’s resolutions. Along with other personal goals, federal contractors might want to add a cybersecurity resolution to their list. The Department of Defense has drafted a cybersecurity certification that will be finalized in January 2020. Starting next fall, contractors will have to be certified in order to submit proposals on defense solicitations. Read on for some of the highlights.

The Cybersecurity Maturity Model Certification, or CMMC, is designed to “review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.” It adds to the safeguards for covered defense information that have been implemented under the existing DFARS 252.204-7012. This regulation provides procedures for adequate security and reporting of cyber incidents.

The new certification will require “certified independent 3rd party organizations to conduct audits” of federal contractors. But the requirements will be proportional to the size of the contractor, with the goal to be “cost-effective and affordable for small businesses to implement at the lower CMMC levels.”

You can take a look at the current version of the CMMC; it will be updated until finalized in January 2020, with the next update scheduled for November. RFPs will start requiring this certificate next fall.

The CMMC site includes a list of FAQ’s and other information that you should check out, but here are the highlights.

  • Controlled Unclassified Information (CUI) is the umbrella term for unclassified information that the government has declared needs safeguarding. It includes things like defense and critical infrastructure, but also information about natural and cultural resources and tax. This is separate from requiremetns for classified information.
  • DOD will add CMMC to the requirements section of solicitations and use it for a “go / no go decision.”
  • CMMC will unify various cybersecurity control standards including NIST standards such as the SP 800-171 recommendations for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
  • DOD will require contractors to hire a third independent third party commercial certification organization to perform a CMMC assessment based on the type of contracts the company will perform and then receive a certificate. No self-certification is allowed. However, the cost of certification will be considered an allowable, reimbursable cost.
  • The requirement will apply to all prime contractors and subcontractors, whether or not they work with CUI.
  • There are five increasing levels of cybersecurity ranging from basic to highly advanced. The practices are spread across 18 domains, such as Access Control, Personnel Security, and System and Information Integrity. Examples of Level 1 security practices include anti-virus and ad hoc incident response. Level 5, in contrast, includes things like real-time asset tracking and a 24×7 security operations center.

As you can see, these requirements are robust but there is a sliding scale based on what level of information a contractor will work with. Your company will need to get familiar with these requirements if it does any work with the DOD.

DOD is encouraging public comment. So check out the information and let DOD know how they can implement this requirement in the most efficient way possible. We’ll keep you updated on any major changes in the CMMC here at SmallGovCon.