Tuesday, July 2, 2019
DoD Cybersecurity Accreditation Process and Timeline Unveiled - MEP Can Help!
The Department of Defense (DoD) recently announced the cybersecurity accreditation process, as well as the timeline by which the Defense Industrial Base (DIB)/DoD Suppliers will be evaluated. By September of 2020, all defense suppliers must be accredited by an independent third party before they will be considered on DoD Requests for Proposals (RFPs). This movement toward enforcement is an effort by DoD to raise the cybersecurity posture of the defense supply base, and reduce the loss of technological advantage and intellectual property.
Click here for more details on the announcement.
The Accreditation Process and Timeline
DoD is developing a Cybersecurity Maturity Model Certification (CMMC) by which all DoD suppliers will be evaluated. The maturity model certification levels will range from Level 1 = basic cybersecurity posture to Level 5 = state of the art cybersecurity posture. A specific CMMC level will be a prerequisite to bid on proposals for DoD contracts as of September 2020. To grade DoD suppliers at a specific CMMC level, a common assessment and accreditation tool is being developed from November 2019 to June 2020. By June 2020, DoD plans to start accrediting third party certifiers. The approved certifiers will use the assessment and accrediting tool to grade DoD suppliers at a specific CMMC level.
Here are DoD’s accreditation and timeline slides: Speaker Presentation: Securing the Supply Chain
How Purdue MEP Can Help
Over the past year, Purdue MEP has completed numerous cybersecurity assessments to the NIST SP 800-171 standard, and helped to remediate deficiencies that were uncovered. NIST SP 800-171 is one of the primary standards from which the CMMC is being developed. Companies that have completed an assessment with Purdue MEP understand their current cybersecurity posture, and have a plan to meet the NIST SP 800-171 standard. Additionally, Purdue MEP clients received a DoD grant that paid for 50% of this evaluation. It is expected this grant funding will continue for 2019-2020.
Purdue MEP plans to obtain the pilot versions of the CMMC and the common assessment and accreditation tool. If a company knows the CMMC level that is projected to be required for their core business, Purdue MEP can assess their current level and help to close the gaps to the CMMC level required for their core DoD business.
It is imperative that Indiana DoD suppliers start the process to improve their cyber-posture now! DoD considers the NIST SP 800-171 standard to be a “basic level of cybersecurity.” However, Purdue MEP has found most manufacturers initially only meet about 20-30% of this standard. For all CMMC levels, NIST SP 800-171 is a good place for companies to start. Plans of action to raise the cyber-health of your company using NIST SP 800-171 can be adjusted to make sure that you hit the correct CMMC level as more information is released. On the other hand, if no action is taken to upgrade your cyber-posture, it will be almost impossible to achieve cybersecurity model certification by September 2020 when DoD releases the final version of the assessment and accreditation tool in June 2020. It is a tremendous amount of work.
Contact us today to learn more and get started!
Writer: Gene Jones, (317) 284-6873, email@example.com