Federal Contractor Report

New Mandatory Cybersecurity Requirements for Defense Contractors

Print Print this Article | Send to Colleague

On Sept. 25, AGC, along with a coalition of stakeholders, filed comments on Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC). According to the Department of Defense (DOD), the CMMC model will continue to be improved over the next several months with the finalization of v1.0 in January 2020. DOD will begin including the final CMMC model as “go/no go” in all solicitations starting in Fall 2020. DOD envisions at least one additional round of public comments for the draft CMMC Model v0.6 in November 2019. AGC of America was disappointed to see that stakeholders were given just 21 days to review and comment on the v.0.4 CMMC Model and urges DOD for significantly more time to review and comment on v0.6 CMMC Model when it is released later this year. 

The purpose of the CMMA is to be a “unified cybersecurity standard” for all DOD contractors. Under this model, defense contractors, including subcontractors, will be required to be certified among the different CMMC levels (1-5) in order to be eligible for contract award. The level of security is determined based on the security requirement needs for each defense contract. This differs from previous cybersecurity mandates as CMMC will require contractors to obtain a third-party certification.

DOD has previously stated that the agency did not plan on auditing contractors’ electronic devices, but would rely on them attesting to their compliance with the requirements. However, DOD is no longer satisfied with this approach and now wants a much stricter “trust but verify” application using the CMMC model.

AGC has communicated the difficulty many contractors have faced implementing these new cybersecurity requirements and the challenges the CMMC model creates. DOD acknowledges the challenge of being 100 percent complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance.

AGC will continue to follow this issue and will update members as development grows.      

For more information, contact Jordan Howard at jordan.howard@agc.org or (703) 837-5368.

 

Back to Federal Contractor Report

Share Share on Facebook Share on Twitter Share on LinkedIn