Last month, the DoD (Department of Defense) published amendments to the Defense Federal Acquisition Regulation Supplement, introducing the requirements for the upcoming CMMC (Cybersecurity Maturity Model Certification) program.
The rule, which will become effective from November 30 – following a public comment period – also contains new requirements for the NIST SP 800-171 DoD Assessment Methodology.
The amendments are intended to help protect controlled unclassified information in the defense industrial base.
As part of this, the DoD will require contractors that must comply with NIST SP 800-171 and wish to receive new contracts to complete an assessment and reporting system that verifies compliance.
The Assessment Methodology contains three assessment levels – Basic, Medium, and High – which are valid for three years.
The Basic Assessment is a self-assessment completed by the contractor before receiving a contract, whereas the Medium and High Assessments are available after a contract has been awarded.
The global standard for cybersecurity
Speaking at the ComDef Forum on September 29, the DoD’s acquisition office CISO, Katie Arrington, said that the CMMC is “absolutely foundational” to cybersecurity in the U.S., and added that the next step is to further global information sharing.
“The big thing to get over is our barriers on information sharing between government and the [intelligence] communities to the industrial base,” she said.
This follows earlier comments in which she said that the CMMC will become the “basis for a global standard” in cybersecurity.
Arrington estimates that about 285,000 federal contractors in the Defense Industrial Base will gain Level 1 certification under the new standard.
You can find out how to get certified by reading The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide.
Written by international cybersecurity and privacy compliance expert William Gamble, this book helps you get to grips with the CMMC, explaining:
- What the program is and why it was introduced
- Who needs to comply with it
- How the implementation process works
- The implications of the CMMC for U.S. government suppliers