he U.S. Department of Defense issued final rules for its Cybersecurity Maturity Model Certification (CMMC) Program, which is indented to ensure that defense contractors meet standards for safeguarding sensitive information.
The CMMC Program aligns with the DoD’s existing information security requirements for private sector defense contractors. It is designed to enforce the protection of sensitive unclassified information shared by the department with its contractors and subcontractors. The program was developed to provide the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for non-federal systems processing controlled unclassified information.
“CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” the DoD said in a statement. “The CMMC Program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company’s cybersecurity status.”
Central features of the CMMC Program:
- Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.
- Assessment Requirement: CMMC assessments allow the DoD to verify implementation of existing cybersecurity standards by contractors and subcontractors.
- Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.
Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments. Members of the defense industrial base may use cloud service offerings to meet the cybersecurity requirements that must be assessed as part of the CMMC requirement. 