Cybersecurity Maturity Model Certification (CMMC) for Defense Contractors Being Implemented by DoD. Is Your Company Ready to be Audited?

Posted by Stephen Palamara, TCC Director of Business Development

Recently, the Department of Defense announced that it will soon unveil a new cybersecurity standard and certification for defense contractors, called the “Cybersecurity Maturity Model Certification” (CMMC). This program will mandate cybersecurity audits and certifications for defense contractors.

At the 2019 Federal Acquisition Conference Presented by PSC on June 13, 2019, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, gave a presentation titled “Securing the Supply Chain”. The full PowerPoint presentation can be viewed here https://insidedefense.com/document/dod-briefing-slides-securing-supply-chain.

In this presentation, Ms. Arrington announced that all DoD contractors that interact with Controlled Unclassified Information (CUI) must comply with 110 cybersecurity best practices as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. Currently, contractors are required to self-certify that they meet the security requirements, but with the implementation of CMMC, it will no longer be possible to self-certify compliance. The CMMC initiative requires all contractor information systems to be certified as compliant by an independent auditor.

The details of CMMC are still being finalized, however the DoD stated that the levels within CMMC will range from basic cyber hygiene to “state-of-the-art,” and will capture security control and the institutionalization of processes. It is anticipated that implementation will begin over the next year.

Contractors can take steps now to reach compliance with NIST 800-171 and prepare for the certification audit. Preparation includes completing an assessment of cybersecurity compliance, a System Security Plan (SSP), a Plan of Action and Milestones (PoAM), and an Incident Response Plan (IRP).

To find out more about TCC’s Security Services, including NIST 800-171 and NIST 800-53 Gap & Remediation Services, please visit our website https://www.e-tcc.com/security-services, or contact me via email at Stephen.Palamara@e-tcc.com.