The Department of Defense drafted a new standard called the Cybersecurity Maturity Model Certification. This standard will replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-2020. The CMMC contains five levels, ranging from basic hygiene to state-of-the-art. Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.
31-January, 20201 DoD released CMMC Version 1.0 – Cybersecurity Maturity Model Certification, which requires any company that does business with the Department of Defense, Primes as well as subcontractors must have “at least a basic level of cybersecurity standards” when they respond to RFI and RFPs.
CMMC framework organizes processes and cybersecurity best practices into a set of cybersecurity standards, frameworks and DoD Stakeholders. The model framework organizes these processes and practices into a set of domains and maps them across five levels. Level 1 covers basic cyber hygiene, Level 2 would involve certifying cybersecurity processes as well, to ensure a contractor is effectively documenting, managing, reviewing and optimizing its practices across its entire enterprise. Level 3 requires that an organization establish, maintain and resources a plan demonstrating the management of activities and practice implementation. Level 4 requires that an organizational review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis. Level 5 requires a vendor to standardize cybersecurity practices across the organization and focuses on the protection from advanced persistent threats.
What to know:
- Does this apply to you? If you re a DoD Prime or Subcontractor YES it does.
- Can I self-certify? NO, CMMC requires an independent audit.
- What Will CMMC Require? CMMC will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards.
Please let us know if you need assistance with preaudit preparation.
Details can be found here: (LINK)