The Department of Defense (DoD) has now finalized its new cybersecurity standards, which we discussed last year. The new cybersecurity standards, which are intended to protect controlled unclassified information, will be implemented by the Cyber Maturity Model Certification program (CMMC), which was finalized last week after multiple draft iterations. CMMC Version 1.0 is available here.
CMMC Will Require Third-Party Certification of Cybersecurity Maturity Level
Among other changes from the prior cybersecurity compliance regime, this new approach will require that to be eligible for DoD awards, contractors must be certified by a third-party commercial certification organization to have achieved one of five cybersecurity maturity levels, with higher levels representing more advanced cybersecurity. Later this year, DoD solicitations will contain the applicable CMMC requirement, and contractors failing to meet this standard will be unable to bid. The requirements will apply to all parties within the supply chain (although subcontractors may not have to meet as high a CMMC standard as the prime contractor, depending on their scope of work).
The scope and impact of the new cybersecurity standards will be significant. The DoD intends to attach minimum certification levels to solicitations beginning in September 2020, and the agency expects approximately 300,000 contractors will need to be certified. This number may rise, as the number of DoD contracts subject to CMMC requirements will increase over time and by 2026 all contracts will have some minimum CMMC requirement.
Next Steps for DoD Contractors
Given the scope of the new cybersecurity standards, DoD faces significant challenges in implementing the CMMC program and ensuring compliance. Although the body overseeing the training and administration of the third-party commercial certification organizations has named its board of directors, the third-party certifiers, who are critical to the program, have not yet been chosen. Certifying the vast number of DoD contractors before the standards become effective in September 2020 will be difficult.
DoD contractors will need to begin planning for CMMC certification now, because failure to secure an appropriate certification will render contractors ineligible for award.