DoD Releases V1 of CMMC Framework
On January 30, 2020, DoD released Version 1 of the Cybersecurity Maturity Model Certification Framework (CMMC v.1). When fully implemented, this framework will create a unified standard by which all DoD contractors will be required to certify their ability to protect Federal Contract Information (FCI) and Controlled Defense Information (CDI).
The purpose of the CMMC is to provide a unified cybersecurity standard for DoD acquisitions. After implementation, contractors will become certified within one of the CMMC “Levels.” Self-certification of FAR and DFARS data security contract clauses will end as DoD contractors will now be compelled to pass third party certifications.
The CMMC Briefing, Model v1.0 and Appendices are posted on the web site of the Office of the Under Secretary of Defense for Acquisition & Sustainment (CMMC) at https://www.acq.osd.mil/cmmc/draft.html.
A few items worth noting:
- Version 1.0 consists of 17 domains and 43 capabilities. It provides some clarity for Level 4-5 practices,
- Appendix E of Version 1.0 is a ‘source mapping’ resource that traces the sources of V.1 practices and processes beyond the Basic Safeguarding FAR and Network Penetration DFARS to CIS Controls v7.1, CERT Resilience Model v1.2 and the Australian and UK Cyber Essentials standards,
- DoD confirms the use of a phased rollout, targeting 10 RFIs and 10 RFPs in 2020 translating to a supply chain of approximately 150 contractors,
- DoD announced the formation of a 13-member Accreditation Body (CMMC-AB) for training and certifying third party assessment organizations (C-3PAOs) which will assess the DoD contractors (initial list expected in April),
- DoD is working with Defense Acquisition University to create a CMMC training program for small business contractors, and
- DoD officials suggested in the briefing that CMMC certifications will remain valid for 3 years, a significant expansion of earlier indications (i.e., 2 years).
A recent move that can only risk some of the targeted timelines, is DoD’s announcement that it intends to implement CMMC through a new DFARs rulemaking prior to September 2020. Given the stakes at issue, DoD’s lawyers wisely decided to avail themselves of the protections of the Administrative Procedure Act. That will significantly shield the CMMC from later legal challenges.