November 02, 2020

DOD’s Cybersecurity Maturity Model Certification Program Takes a Step Forward

Contract Management Magazine

In his article for Contract Management Magazine titled “DOD’s Cybersecurity Maturity Model Certification Program Takes a Step Forward,” government contracts partner Jack Horan provides a breakdown of the Department of Defense (DOD)’s new interim rule that will transition into the Cybersecurity Maturity Model Certification (CMMC) program.

In the article, Horan explains that the DOD is committed to creating the CMMC program – a unified cybersecurity standard for DOD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB). On Sept. 29, the DOD published an interim rule that will take effect on Nov. 30, 2020, as a bridge from the current cybersecurity regime of “Defense Federal Acquisition Regulation Supplement,” to the CMMC program.

Horan outlines the DOD’s current cybersecurity requirements and the details of the new requirements to come for DOD contractors and subcontractors. To reduce CUI exfiltration from the DIB, the CMMC program will add a verification component contingent on the maturity level of the contract and access to CDI the contractor will have. “Most importantly, the CMMC will require contractors and subcontractors to receive a certification by third-party certifiers based on the level and maturity of cybersecurity practices implemented by the contractor,” said Horan. He goes on to outline the five maturity levels, ranging from Level 1 (the most basic) to Level 5 (the most secure).

Horan also details the requirements of the new interim rule that requires a separate assessment, “NIST SP 800-171 DOD Assessment Methodology,” for all DOD contracts except for those for commercial of the shelf items. The Assessment Methodology evaluates a contractor’s implementation of NIST SP 800-171 security requirements, as required by current regulation. “The resulting NIST SP 800-171 DOD Assessment reflects ‘the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor,’” explains Horan.

When the interim rule takes effect, “DOD contractors should carefully review the solicitation to determine whether the contract will be subject to only the NIST SP 800-171 DOD Assessment Methodology requirement or will also be subject to the CMMC requirements,” adds Horan.

Horan emphasizes that DOD contractors and subcontractors should organize a team of appropriate personnel from management, business development, information technology, compliance, and contract management to determine, at a minimum: the current maturity level of its cybersecurity systems; the maturity level it will need to attain the company’s goals; the responsibility within the various departments of the company to ensure compliance with necessary practices for certification; and the needed resources and timeline to assure on-time completion.

Full Article

The Faegre Baker Daniels website uses cookies to make your browsing experience as useful as possible. In order to have the full site experience, keep cookies enabled on your web browser. By browsing our site with cookies enabled, you are agreeing to their use. Review Faegre Baker Daniels' cookies information for more details.