The Office of the Under Secretary of Defense for Acquisition and Sustainment has been on a fast track mission to shore up the cybersecurity measures of defense contractors and the supply chain to the Department of Defense (DOD). It is in the process of developing a Cybersecurity Maturity Model Certification (CMMC) requirement for those vendors.
Many DOD vendors and subcontractors are small businesses, and could be left behind if they don’t focus on and invest in cybersecurity readiness.
It is the goal of the DOD to release CMMC Rev 1.0 in January 2020, and there have been public announcements that the DOD will be auditing existing contractors immediately to determine compliance with the requirements.
For those looking to get into the defense contractor industry, and who don’t already have a contract, it is anticipated that CMMC will be included in all Requests for Information starting in June of 2020, and in all Requests for Proposals in the fall of 2020.
In order to be certified, a company has to be accredited by a third-party company; no self-certification will be permitted. The CMMC model has 18 domains, and certification will be provided based upon the level requested, which is dependent on the work being performed for the DOD. The levels start with basic cyber hygiene and get more sophisticated from there. Certification of contractors will be dependent on the risk posed by the work being performed and the sensitivity of data shared and disclosed.
January is coming quickly, so DOD contractors should become familiar with CMMC and get ready to be audited. We are hearing that DOD is serious about getting audits started quickly and that they won’t have much tolerance if their contractors aren’t ready. This could have a huge impact on small contractors who are not prepared for the roll out of CMMC.