The Cybersecurity Maturity Model Certification, or CMMC, has been a topic of conversation for a few years within the Defense Industrial Base (DIB). CMMC is a unified standard for implementing cybersecurity across the DIB, which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. The US Department of Defense (DoD) released the much-anticipated Cybersecurity Maturity Model Certification (CMMC) version 1.0•• on January 31, 2020. Since then, CMMC has undergone much scrutiny and discussion. Here is a timeline of CMMC:
September 2020: The CMMC program published by the DoD (now known as CMMC 1.0). This framework assesses a Defense Industrial Base (DIB) contractor’s compliance with a set of cybersecurity standards.
November 2020: A Presidential interim rule became effective, establishing a five-year phase-in period and requiring compliance with NIST 800-71 rules.
March 2021: The DoD announced an internal review of CMMC’s implementation.
November 2021: The DoD announced CMMC 2.0, and updated program and requirements designed to meet certain goals, including:
- Protecting sensitive information to enable and protect the warfighter.
- Dynamically enhance DIB cybersecurity to meet evolving threats.
- Ensuring accountability while minimizing barriers to compliance with DoD requirements.
- Contributing to a collaborative culture of cybersecurity and cyber resilience.
- Maintaining public trust through high professional and ethical standards.
In today’s rapidly evolving digital landscape where cyber threats are becoming increasingly sophisticated and prevalent, safeguarding sensitive information is extremely important. For businesses involved with the Department of Defense (DoD) as contractors or subcontractors, the need to implement robust cybersecurity measures cannot be overstated.
One critical regulation that demands attention is the Cybersecurity Maturity Model Certification (CMMC), a framework designed to measure and enhance companies’ cybersecurity posture and processes within the Defense Industrial Base (DIB) supply chain. CMMC is currently in the rule making process but will be here quickly given the amount of time it takes for a company to get all controls in place to be compliant. In the mea time, contractors should be mindful of recent updates to the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which mandates compliance with specific cybersecurity requirements to protect valuable defense information. DFARS 7012 requires defense contractors to: Provide adequate security to protect unclassified Covered Defense Information (CDI). To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
The CMMC compliance deadline is expected to take effect in October 2025. DFARS 7102 is here NOW. Keep reading for a deep dive into the importance of staying compliant with upcoming changes to the CMMC clause and how waiting too long can be detrimental.