On Dec. 13, 2019, the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Draft 0.7 of the Cybersecurity Maturity Model Certification (CMMC) framework. The CMMC framework will be used by third party auditors to certify that members of the Defense Industrial Base (DIB) sector are complying with the Department of Defense’s (DOD’s) baseline cybersecurity requirements. In Fall 2020, DOD will begin including CMMC certification requirements as go/no go evaluation factors in some of its procurements and, eventually, DOD CMMC certification will be required for all DOD contractors, subcontractors, and suppliers working on defense contracts.

Background

As discussed previously in GT client alerts (see New Cybersecurity Certification Requirements for Government Contractors) and articles (see FEATURE COMMENT: Cybersecurity For Government Contractors: DOD’s New Cybersecurity Maturity Model Certification Rapidly Taking Shape), the CMMC framework represents a departure from the DOD’s current approach to baseline cybersecurity for the DIB sector. Defense contractors will no longer be permitted to simply self-certify their compliance with cybersecurity standards or rely upon Plans of Action and Milestones (POA&M) to fill gaps in their System Security Plans. Rather, third-party auditors, regulated by a yet-to-be-determined non-governmental organization, will be responsible for certifying contractor compliance with the CMMC framework.

The CMMC framework will establish five tiers of cybersecurity maturity, with Level 1 certification representing “Basic Cyber Hygiene,” and Level 5 certification representing “advanced or progressive cybersecurity.” The CMMC framework consists of 17 domains, such as “Access Control” and “Personnel Security.” For each cybersecurity level, the CMMC framework requires contractors to demonstrate compliance or adoption of increasingly stringent “capabilities” and “practices,” in each of these domains.

What is New?

What is Next?

In January 2020, DOD plans to issue CMMC 1.0, which is expected to be the initial comprehensive version of the CMMC framework. While many questions remain regarding the content of the final CMMC framework and how DOD will implement CMMC requirements, DOD has repeatedly expressed its intent to require CMMC certifications for procurements starting in fall 2020.

For many organizations, achieving CMMC compliance will require significant effort. Accordingly, contractors should continue to carefully review draft CMMC documents and to take steps to begin implementing required CMMC “capabilities” and “practices.” Absent such advance planning, contractors risk falling “behind the curve,” or compromising their competitive position in future DOD procurements. Additionally, contractors should begin discussing CMMC implementation with their subcontractors and lower-tiered suppliers to ensure they are aware of DOD’s new requirements and are prepared to achieve CMMC certification as needed.