In September the DoD unveiled a new draft of the Cybersecurity Maturity Model Certification (CMMC). This is the Pentagon’s push towards creating a simple, consistent framework for the cyber security standards it imposes on all 300,000+ prevailing wage contractors and subcontractors that work with the DoD.
Certification is structured with five levels moving from less security at level one to highly advanced cyber security at level five. Within each level there are 18 domains or security categories. These include:
• access control
• asset management
• awareness and training
• audit and accountability
• configuration management
• cybersecurity governance
• identification and authentication
• incident response
• maintenance
• media protection
• personnel security
• physical protection
• recovery
• risk assessment
• security assessment
• situational awareness
• system and communication protection
• system and information integrity
The new model is slated to “go-live” and integrate with open RFP’s in June of 2020. From that point every defense contract will use the CMMC in determining a company’s ability to bid for contracts.
Timeline:
November 2019
The DoD released a Draft of CMMC Model v0.6 for public review
January 2020
The full model will be released to a consortium in January 2020 so that contractors will be able to learn the steps necessary to achieve each of the five levels.
June 2020
The model will “go-live” and integrate with open RFP’s in June of 2020. From that point every defense contract will use the CMMC in determining a company’s ability to bid for contracts.
Current draft version available here:
https://www.acq.osd.mil/cmmc/draft.html
