In May the Pentagon announced that it was developing a new cybersecurity certification for Department of Defense contractors that will be made available later this year. The new standard, called the “Cybersecurity Maturity Model Certification” (CMMC), is meant to address cybersecurity deficiencies in the defense industrial base and to secure the supply chain.
Last Thursday at the Professional Services Council Federal Acquisition Conference the DoD unveiled the new standards, which have a five-level system.
Katie Arrington, special assistant to the DoD’s assistant security of defense acquisition for cyber, made the announcement at Thursday’s conference, and said she is working on CMMC with the Johns Hopkins University Applied Physics Laboratory and Carnegie Mellon University Software Engineering Institute to “review and combine various cybersecurity standards into one unified standard for cybersecurity.”
CMMC will combine guidance currently in place from the National Institute of Standards and Technology along with new input from the private sector as well as academia. It is also expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule. This requires any defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.
CMMC is being developed to be semi-automated and more importantly cost-effective so that small businesses can still achieve at least the level-one certification with CMMC.
The DoD plans to release the draft standard in July. It will then start to collect industry feedback via a series of national listening sessions and then begin incorporating the new requirements in solicitations in September 2020.
Expedite the Cybersecurity Acquisition Process
The goal of CMMC is to expedite DoD’s cybersecurity acquisition process, but Arrington noted that cost or performance cannot be traded for security – the latter being the foundation of defense acquisition. As a result, cybersecurity contracts will have those required CMMC levels once a certification is released.
This is important because many contractors have ad hoc or other inconsistent cybersecurity practices (along with the federal agencies themselves) and CMMC could be a way for these to be brought in line. Cybersecurity breaches and intellectual property theft has been an issue for the DoD, and included the theft of high-grade weapon systems – most notably the F-35.
“We should be infuriated about what has happened to our data,” warned Arrington, who added that she and her team will be seeking industry insight in the final development of CMMC.
“With 70% of my data living in your environment, I’m home, so we need to work together to secure it,” Arrington said. “Who is the government? You are when you’re the taxpayer. That’s your money. That’s your data that you have paid for that our adversaries are taking and using it against us. We should be infuriated as a nation about our data. With $600 billion a year being expelled by our adversaries; this room should be irate.”
Arrington emphasized that it is critical to have public-private sector collaboration in developing and finalizing CMMC.
In July and August she and the team will travel to San Diego; San Antonio; Huntsville, AL; Tampa, FL; Boston; Washington; Phoenix; Detroit; Colorado Springs, CO; Seattle; and Kansas City, MO, to engage with the industry via listening sessions.