All Department of Defense (DoD) contractors and subcontractors will have to comply with a new, unified set of cybersecurity qualifications to do business with the Pentagon beginning this summer, the agency said.
The upgraded standards, referred to as Cybersecurity Maturity Model Certification version 1.0 (CMMC), are aimed at locking down the Pentagon’s networks and classified information from infiltration by foreign hackers gaining access through potential weak links in the supply chain. The Defense Department introduced the model last May and the first draft was issued last September. (Click here for MSSP Alert’s details of the CMMC.)
“Adversaries know that in today's great power competition environment, information and technology are both key cornerstones , and attacking a sub-tier supplier is far more appealing than a prime,” Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment, said. (via National Defense, the business and technology media outlet of the National Defense Industrial Organization).
The new framework only applies to new contracts and will be phased in over the next five years, meaning that by 2026 all Defense Department contracts will have to adhere to CMMC requirements, officials said. In addition to a number of cybersecurity standards, the CMMC also references NIST Special Publication 800-171, which historically has been used to protect controlled classified information. Compliance has previously been voluntary but with the CMMC, all contract or subcontract holders for the DoD will have to be accredited by third-party assessment organizations, or C3PAOs.
Deploying third-party auditors will ensure that supply chain contractors are implementing the required practices, officials said. The verification body will include 13 members picked from the defense industrial base, the cybersecurity community and academia tasked with training and certifying its own members. So far, no seats have been filled.
As for the CMCC, it will be tiered by five levels, based on the work a supplier will be doing. While levels four and five standards carrying the most stringent requirements, the jump from level one to three is the longest, with contractors asked to move from 17 to 110 controls, officials said. The new requirements are expected to be incorporated into Requests for Information by June 2020, and into Requests for Proposals by Fall 2020.