DOD’s Cybersecurity Maturity Model Certification Program Takes a Step Forward

In his article for Contract Management Magazine titled “DOD’s Cybersecurity Maturity Model Certification Program Takes a Step Forward,” government contracts partner Jack Horan provides a breakdown of the Department of Defense (DOD)’s new interim rule that will transition into the Cybersecurity Maturity Model Certification (CMMC) program.

In the article, Horan explains that the DOD is committed to creating the CMMC program – a unified cybersecurity standard for DOD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB). On Sept. 29, the DOD published an interim rule that will take effect on Nov. 30, 2020, as a bridge from the current cybersecurity regime of “Defense Federal Acquisition Regulation Supplement,” to the CMMC program.

Horan outlines the DOD’s current cybersecurity requirements and the details of the new requirements to come for DOD contractors and subcontractors. To reduce CUI exfiltration from the DIB, the CMMC program will add a verification component contingent on the maturity level of the contract and access to CDI the contractor will have. “Most importantly, the CMMC will require contractors and subcontractors to receive a certification by third-party certifiers based on the level and maturity of cybersecurity practices implemented by the contractor,” said Horan. He goes on to outline the five maturity levels, ranging from Level 1 (the most basic) to Level 5 (the most secure).

Horan also details the requirements of the new interim rule that requires a separate assessment, “NIST SP 800-171 DOD Assessment Methodology,” for all DOD contracts except for those for commercial of the shelf items. The Assessment Methodology evaluates a contractor’s implementation of NIST SP 800-171 security requirements, as required by current regulation. “The resulting NIST SP 800-171 DOD Assessment reflects ‘the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor,’” explains Horan.

When the interim rule takes effect, “DOD contractors should carefully review the solicitation to determine whether the contract will be subject to only the NIST SP 800-171 DOD Assessment Methodology requirement or will also be subject to the CMMC requirements,” adds Horan.

Horan emphasizes that DOD contractors and subcontractors should organize a team of appropriate personnel from management, business development, information technology, compliance, and contract management to determine, at a minimum: the current maturity level of its cybersecurity systems; the maturity level it will need to attain the company’s goals; the responsibility within the various departments of the company to ensure compliance with necessary practices for certification; and the needed resources and timeline to assure on-time completion.