Department of Defense Releases Cybersecurity Maturity Model Certification

The Undersecretary of Defense for Acquisition and Sustainment (OSD A&S) released the Cybersecurity Maturity Model Certification (CMMC) on 31 January 2020. If you recall from previous Purdue MEP newsletter articles, CMMC will be a mandatory cybersecurity certification process that utilizes 3^rd Party Auditors to verify that defense suppliers meet specific information security standards. The specific information security standards are detailed in the CMMC model.

To learn more about the CMMC model, click here.

CMMC Will be Gradually Phased In

Today, suppliers must continue to abide by DFARs 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) if this clause is contained in your contract, and your company has Controlled Unclassified Information (CUI). Currently, DFARs clause 7012 references NIST SP 800-171 as the standard for demonstrating adequate security. 

In the Spring/Summer of 2020, DoD plans to update the DFARs to reference CMMC instead of NIST SP 800-171. Additionally, the below conceptual phase-in schedule was discussed in the CMMC press release news conference (see link above).

• Summer/Fall 2020 - 10 “pathway” RFIs and RFPs will be selected for CMMC inclusion. This will impact about 150 flow-down defense suppliers.
• Expect about 1500 companies to receive CMMC certs in 2021.
• Phase CMMC into all DoD contracts during a 5-year period from 2021 to 2026.

Although DoD is adopting this “crawl, walk, run” approach utilizing the above conceptual schedule, it critically important for defense suppliers to start the process of improving their cybersecurity posture now.

Why Is It Important to Start Now

There are several reasons that it is critically important to start the process of meeting the mandatory cybersecurity standards now.  First, the proliferation of cyber attacks on defense suppliers is rising at an exponential pace. The result is a massive loss of technological advantage over our possible adversaries and the loss of business revenue as systems are recovered from malware attacks. Second, it will take a significant amount of company resources, time and money, to meet the DFARs-CMMC standard. Spreading this effort over a couple of years will reduce the impact on the operational tempo of the company and lessen the acute impact on the budget. Third, and lastly, a company must have a CMMC certificate before contract award in the future process. In order to prevent a disruption of defense revenue, it is better to prepare early and be ready to obtain a certificate when the 3^rd Party Audit system is established. If you agree with the reasons that it is important to start now, please see the section below regarding how Purdue MEP can help you get started.

Purdue MEP Can Help You

The Purdue MEP cybersecurity team is conducting full-day seminars that will explain the requirements, identify free and for-fee resources and introduce you to local cyber providers. If the below seminars don’t meet your schedule, we can arrange a 1-hour WebEx to review the basic requirements. Additionally, if you are ready to raise your information security posture now, we can provide technical assistance for cyber assessments and cyber remediation. Please visit our website or give us a call.

Visit our Workshops & Events page to find upcoming seminars on the topic.

Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu