Organization that works with Department of Defense (DoD) known as Defense Industrial Base (DIB) are now well aware of the cybersecurity mandates that have been sweeping across the defense industry over the past several years. In 2015, The U.S. Department of Defense published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework. This is all part of a government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats and reduce the overall security risk of the sector.

On January 31, 2020, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC). This new framework is to ensure their contractors and suppliers have appropriate cybersecurity frameworks in place to protect data such as Controlled Unclassified Information (CUI), Federal Contact Information (FCI), and other information. The DoD is rolling out the new framework “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).”

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed by the Department of Defense (DoD) to help protect controlled unclassified information within its supply chain. Developed by the DoD, federal stakeholders, and industry professionals, the CMMC provides the Defense Industrial Base sector with a clear set of cybersecurity standards and best practices to follow. Many DoD contractors will have to complete the CMMC prior to bidding on work in the coming months. Understanding the current state of your cybersecurity program and how it measures up against the CMMC framework is the critical first step in this process.

CMMC Levels

  • Level 1 Foundational: Requires implementation of 17 cybersecurity controls. These controls can be found in Federal Acquisition Regulation (FAR) 52.204.21. Annual self-assessments and affirmation of compliance are required.
  • Level 2 Advanced: Requires implementation of 110 cybersecurity controls from NIST SP 800-171. Third-party assessments from C3PAOs will be required for most contracts every three years, with select contracts only required to perform self-assessments annually.
  • Level 3 Expert: Details are still being worked out, but it is expected that this level will require controls from NIST SP 800-172. This level is designated for highly sensitive DoD programs.

basic level image