DoD Cybersecurity Requirements Update

The development of a Department of Defense (DoD) cybersecurity accreditation process is well underway. Under the new certification process, known as the Cybersecurity Maturity Model Certification (CMMC), all defense suppliers must be accredited by September 2020 using an independent third party before they will be considered on DoD Requests for Proposals (RFPs). This movement toward enforcement is an effort by DoD to raise the cybersecurity posture of the defense supply base and reduce the loss of technological advantage and intellectual property. 

Click here for more details regarding CMMC.

The Accreditation Process and Timeline

DoD is developing a Cybersecurity Maturity Model Certification (CMMC) by which all DoD suppliers will be evaluated. The maturity model certification levels will range from Level 1 = basic cybersecurity posture, to Level 5 = state of the art cybersecurity posture. It is anticipated that most manufacturers will need a CMMC Level 3 certification because you are making something unique to DoD specifications. Please note that even a landscaping contractor who cuts DoD facility grass will need at least a CMMC Level 1 cert. A specific CMMC level will be a prerequisite to bid on proposals for DoD contracts as of September 2020. To grade DoD suppliers at a specific CMMC level, a common assessment and accreditation tool is being developed from November 2019 to June 2020. The latest draft of the tool, CMMC v0.4, is available here. By June 2020, DoD plans to start accrediting third party certifiers. The approved certifiers will use the assessment and accrediting tool to grade DoD suppliers at a specific CMMC level. 

How Purdue MEP Can Help

There are three methods that Purdue MEP can help companies improve their cybersecurity posture.

First, over the past year, Purdue MEP has completed numerous cybersecurity assessments to the NIST SP 800-171 standard, and helped to remediate deficiencies that were uncovered. NIST SP 800-171 is one of the primary standards from which the CMMC is being developed, and NIST 800-171 is a good approximation to CMMC Level 3 which is the CMMC Level needed by most manufacturers. Companies that have completed an assessment with Purdue MEP understand their current cybersecurity posture and have a plan to meet the NIST SP 800-171 standard. Additionally, Purdue MEP clients received DoD grant funding that paid for 50% of this evaluation. Purdue MEP has limited grant funding to continue this technical assistance in 2019-2020.

Second, in addition to the on-site technical assistance referenced above, Purdue MEP is conducting Defense Cybersecurity Assurance Program (DCAP) seminars periodically throughout the state. At the DCAP seminars, attendees will be presented the DoD cybersecurity requirements and introduced to resources to assist in the process. The first seminar was held in Bloomington on November 12th, 2019. Seminars were also conducted in Indianapolis (April 2020) and Fort Wayne (May 2020).

Third, contact Purdue MEP to help coordinate a Cybersecurity Group Consulting Session at your company or nearby. Group Consulting Sessions are a cost-effective method for three companies to share the cost of four hours of expert cybersecurity guidance regarding meeting the mandatory DoD contracting requirements. Attendees will receive detailed feedback regarding their current cybersecurity configuration, and guidance to improve their cyber posture so that they meet the requirements of DFARS clause 252.204-7012.

Act now!

It is imperative that Indiana DoD suppliers start the process to improve their cyber-posture now. DoD considers the NIST SP 800-171, which approximates CMMC Level 3, standard to be a “basic level of cybersecurity.” However, Purdue MEP has found most manufacturers initially only meet about 20-30% of this standard. For all CMMC levels, NIST SP 800-171 is a good place for companies to start. Plans of action to raise the cyber-health of your company using NIST SP 800-171 can be adjusted to make sure that you hit the correct CMMC level as more information is released. On the other hand, if no action is taken to upgrade your cyber-posture, it will be almost impossible to achieve cybersecurity model certification by September 2020 when DoD releases the final version of the assessment and accreditation tool in June 2020. It is a tremendous amount of work that can’t be accomplished in a couple of months.

Contact us today to learn more and get started!

Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu