According to an article in Federal Computer Week (Pentagon finalizes CMMC standard for contractors), the Pentagon has released the official version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) standard that Department of Defense (DoD) contractors must start to meet in the fall of 2020 and all will need to meet by 2026.
Here are some key facts you need to know:
- On January 31, 2020, the Pentagon released its official version (1.0) of its unified cybersecurity standard that all contractors must meet by 2026.
- The Cybersecurity Maturity Model Certification (CMMC) will apply to any company that does business with the Department of Defense. CMMC applies to contractors and subcontractors.
- Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, indicated that CMMC will be complex, which is why there is a five-year timeline.
- Katie Arrington, Chief Information Security Officer for Defense Acquisition, said that the DoD plans to release 10 Requests for Information and 10 Requests for Proposal in 2020 that will include CMMC. Certification will be required of contractors and subcontractors when the contract is awarded.
DoD Has Concerns for Small Businesses
One of the issues that exists within the DoD and the business community is how small businesses will be able to meet the standards. Undergoing an assessment is one step in the process. Businesses that are not in compliance with the new standards will have to make changes which could add significant costs.
Here are some key takeaways from the article in Federal Computer Week:
- Small and mid-sized businesses should gather information on how to work within the DoD’s framework. One step is to contact the DoD’s industry policy team, which will be able to connect businesses with CMMC experts. A second option is to work within industry associations. A third is to look at resources being offered by prime DoD contractors, many of whom are starting to release guidelines.
- Understand the framework of the CMMC guidelines, which closely resemble the existing NIST Cybersecurity Framework.
- Companies should look for ways now to assess their cybersecurity status and whether or not they have the right processes and personnel in place.
The Federal Computer Week (FCW) story can be read here: Pentagon finalizes CMMC standard for contractors