by Howard Snow, Former Deputy Assistant Secretary of the Navy
Over a year ago the Pentagon finalized a cybersecurity standard that contractors needed to follow in order to hold and win new defense contracts. That standard was called the Cybersecurity Maturity Model Certification (CMMC) 1.0. This system was built on a five tiered framework that rated companies based on levels of classification and security.
Prior to the Cybersecurity Maturity Model Certification system there wasn’t a unified standard for cybersecurity that businesses needed to follow when bidding for contracts. Individual firms could simply say they had certain industry standards in place for cybersecurity. This left the defense supply chain vulnerable especially sub-contractors down tier from the prime contractors to adversaries.
In today’s new cyber threat environment defense contracts need to mandate bidders reach a certain level of security to win certain types of contracts. Thus, the Cybersecurity Maturity Model Certification (CMMC) 1.0 was created.
In order to bolster needed security this new process was created with an accreditation board along with certified assessors. The board is an outside entity, separate from DoD, that was to be charged with approving assessors to certify companies for the new process.
However, the new system ran into resistance from within the system and from the outside – industry. Industry requested that the Pentagon review the Cybersecurity Maturity Model Certification program.
While the Defense Department was reviewing the program defense contractors were told to keep working on the implementation of the Cybersecurity Maturity Model Certification (CMMC) program even through there were no program guidelines. As it turns out the review is compete and the program has been re-designed to completely change the security framework.
On the 4th on November Cybersecurity Maturity Model Certification 2.0 was announced. The upgraded system is simpler for defense contractors to implement, protects federal contract information, controls the handling of information, allows for more self-assessment, eliminates several tiers of compliance and reduces the role of third party assessment.
The Pentagon will move forward with the new CMMC policies through the rulemaking process, including a period for public comment, according to a notice that was annouced on Nov. 4. This means that the old CMMC 1.0 pilot is suspended and the new CMMC 2.0 rules will take place upon posting in the Federal Register.
So, look for CMMC 2.0 requirements in future defense contracting solicitations.
Happy hunting on future bids!
