Demystifying Cybersecurity Maturity Model Certification (CMMC)
In 2015, The U.S. Department of Defense (DoD) published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that private DoD Contractors adopt cybersecurity standards, according to the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 cybersecurity framework. This is all part of a government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats and reduce the overall security risk of the sector.
The CMMC was established to provide a single authoritative body that would:
- Set the terms & conditions for accrediting CMMC 3rd Party Assessment Organization (C3PAO)
- Provide oversight for CMMC accreditations and assessments, including managing and providing all associated processes:
- Training
- Quality Control
- Dispute resolution and others
- Liaise with DoD regarding the CMMC assessments of individual companies
The DoD has asked industry to establish an Accreditation Body (AB) that has the following characteristics:
- Self-organizing, self-sustaining organization at NO cost to the DoD
- Fees to maintain CMMC Accreditation Body will be at the cost of users
- Memorandum of Understanding (MOU) to be established between DoD and CMMC Accreditation Body
- Single organization (preferred) or
- Group of peer organization(s)
- Responsible for coordination with DoD CMMC Program Management Office
- DoD will be the specifier for CMMC Technical Requirements (e.g. Model)
- Regular communication, status reporting and
- Annual Review
- Operational in January 2020
The DoD has an aggressive timeline for building the capability to audit government contractors to ensure compliance at a Level 1-5 assessment from accredited C3PAOs which are being managed by the single AB.
Industry alongside RIVA has been good stewards in this effort and are aggressively working toward establishing the AB and C3PAOs. We are closely monitoring CMMC AB progress to ensure RIVA compliance with DoD regulations and monitoring our internal processes and technologies to meet the cybersecurity requirements.
The Draft CMMC v0.6 can be found here at https://www.acq.osd.mil/cmmc/docs/CMMC-V0.6b-20191107.pdf.