On January 30, the Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC).
Version 1.0 represents the final current standard for Levels 1–5 certification.
Along with the formation of the Accreditation Body (CMMC-AB) earlier last week, the release of version 1.0 represents a large step forward in the CMMC process and the associated cybersecurity requirements for the DoD supply chain.
Does CMCC apply to my organization, and what does it mean?
CMMC applies to everyone in the DoD supply chain and it is estimated that over 300,000 contractors and suppliers will have to comply with CMMC.
Under version 1.0 of CMMC, DOD contractors and suppliers will be required to obtain a cybersecurity rating from Level 1 through Level 5, with minimum certification levels beginning to be attached to contract solicitations beginning in September 2020. It is estimated that the first CMMC requirements will be included in some requests for information as early as June 2020.
The CMCC certification process
According to version 1.0 of CMMC, achieving Level 1 certification will involve 17 practices considered to be "basic cyber hygiene," such as ensuring the use of antivirus software and regularly updating passwords. Each level will build on the previous one, adding more cybersecurity practices and processes for contractors and suppliers to adhere to according to the DoD.
Level 3 will be similar to the National Institute of Standards and Technology (NIST) 800-171 standard, while Levels 4 and 5 will add further proactive and advanced cybersecurity practices.
All CMMC certifications will last for three years according to current guidance with the certification being made by independent third-party assessors.
More on the accreditation body
Further to the certification process, the members of the CMMC-AB have been released to the public. The CMMC-AB will be responsible for the administration of the CMMC standards and the associated certifications.
On its website, the CMMC-AB has set forth general information on certified third-party assessment organizations (C3PAOs) and the assessors that will work for the C3PAOs. The CMMC-AB estimates that there will be more than 10,000 trained assessors. As of now, however, only general information has been released and specifics are still to come.
Also of note is that the CMMC-AB stated that training materials will be forthcoming to educate trainers as well as to ensure uniform assessor training.
We will continue to monitor all updates to CMMC and are working with clients to ensure compliance.
Read the actual CMMC version 1.0 document and related appendices.