In January, the U.S. Department of Defense released the Cybersecurity Maturity Model Certification requirements, outlining new cybersecurity stipulations for DOD contractors. There is no deadline for compliance with this new standard, but defense contractors should expect to see its specifications incorporated into new DOD contract bid requirements.
Abbreviated CMMC, the model seeks to extend traditional requirements for handling classified information to include security controls around federal contract information and controlled unclassified information that is not intended for public release.
The Cybersecurity Maturity Model Certification includes 17 domains, ranging from Access Control and Configuration Management to Physical Protection and Incident Response. Most security professionals reviewing the domains will not find many surprises, as the domains and their component capabilities are derived from industry best practices.
The 5 levels of the Cybersecurity Maturity Model Certification
There is a reason why it is called a maturity model: The CMMC provides a stepwise approach to developing a firm’s cybersecurity controls over time, while moving through the five levels of certification shown below.
One of the major distinguishing factors of the DOD’s Cybersecurity Maturity Model Certification is that it goes beyond a set of requirements and incorporates a formal certification program. Contractors seeking certification at any of the five levels must engage with a qualified assessor and obtain a formal certification of compliance that will be made available to DOD contracting officials.
Contracting officials will include specifications in bid requests identifying the level of certification required to participate in different projects. The required level will be based upon the nature of the information that the contractor will handle and the degree of risk.
Requirements at different levels vary, ranging from basic ad hoc safeguarding practices in Level 1 to advanced, proactive cybersecurity practices in Level 5. For example, the CMMC’s Incident Response domain does not include any capability requirements at Level 1. As organizations move to Level 2, they are expected to implement an operational incident handling capability. By the time they reach Level 5, they must use a combination of manual and automated real-time responses to anomalous activities that match incident patterns.
How DOD CMMC certification is awarded
For defense contractors, this particular certification is likely to be a time-consuming process. Here are three steps that contractors can take to get started on the compliance journey:
- Engage with agency officials to determine the likely level of Cybersecurity Maturity Model Certification required for future engagements.
- Conduct an initial assessment to determine the organization’s current status under the CMMC.
- Develop a prioritized action plan to remediate any deficiencies required to meet the objective level of certification. Depending upon the nature of the firm’s work, it may be preferable to reach intermediate levels on the way to the final objective.
Firms new to the world of security requirements may find they need to build entirely new programs to support the Cybersecurity Maturity Model Certification. Those that have previously handled classified information may need to apply existing security controls to new areas of their business, based upon the nature of DOD interactions. In either case, pursuing this certification may impose a regulatory burden, but it is also likely to improve the organization’s overall security posture.