On Sept. 4, the office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC) for comment. Under this model, Defense contractors, including subcontractors, will be required to be certified among the different CMMC levels (1-5) in order to be eligible for contract award. The level of security is determined based on the security requirements needs for each defense contract. This differs from previous cybersecurity mandates as CMMC will require contractors to obtain a third-party certification. AGC will submit comments on or before the September 25 deadline.
According to the Department of Defense, the CMMC model will continue to be improved over the next several months with the collaboration of all the stakeholders with the finalization of v1.0 in January 2020 and will begin including the final CMMC model as “go/no go” in all solicitations starting in Fall 2020. DOD envisions at least one additional round of public comments for the draft CMMC Model v0.6 in November 2019.
Cybersecurity has become a growing issue for DOD and Congress. In 2016, issues with FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) arose and continued with DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting) which became mandatory for all DOD contracts on Dec. 31, 2017.
The purpose of the CMMA is to be a “unified cybersecurity “standard for all DOD contractors. DOD had previously stated that the agency did not plan on auditing contractors’ electronic devices, but would rely on contractor’s attesting to their compliance with the requirements. However, DOD is no longer satisfied with this approach and now wants a much stricter “trust but verify” application using the CMMC model.
AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. DOD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance.
For more information, contact jordan.howard@agc.org or (703) 837-5368.