The Department of Defense (DoD) has released the final version of its Cybersecurity Maturity Model Certification (CMMC), which will certify DoD contractors’ cybersecurity practices and bolster supply chain security, the department announced on Friday.
“This is a step in the right direction to reduce risk and ensure reliable certification of industry solutions that have comprehensive security fit to protect defense agencies’ systems and sensitive data. Industry should work to provide RFI’s for solutions that provide consistent and comprehensive security across traditional data centers, cloud, and mobile users.,” said Zscaler’s vice president Andrew Schnabel.
The DoD’s CMMC has developed a framework to assess and enhance the cybersecurity of the Defense Industrial Base Sector and provide protection to Controlled Unclassified Information (CUI) and DoD supply chains.
CMMC’s revision has moved away from self-certification, replacing current National Institute of Science and Technology’s standards for cybersecurity with a five-level system of requirements for defense contractors.
“Moving away from self-reported security certifications, and toward a tiered system will ensure that industry and defense agencies are more tightly aligned,” added Schnabel.
Ellen Lord, undersecretary of Defense and 2020 Wash100 Award winner, emphasized the importance of innovation coming from small and medium-sized businesses, and that there are several ideas being discussed on how to cost effectively accredit those businesses.
“We need small and medium businesses in our defense industrial base and we need to retain them,” Lord said. “We know that the adversary looks at our most vulnerable link . . . usually six, seven, or eight levels down in the supply chain,” said Lord.
DoD will now focus on the remaining CMMC timeline, including the selection of third-party vendors, rulemaking, and completing a memorandum of understanding with a newly established CMMC accrediting body.
About DoD CMMC
DoD is releasing this latest version (v0.7) so that the public can review the draft model and begin to prepare for the eventual CMMC roll out. This document includes CMMC Levels 1-5 as well as the associated discussion and clarification for a subset of practices and processes in Appendices B – E.